Has anyone encountered DEST records in index.dat files? I looked at the source code and docs of open source tools that parse index.dat/MSHIST files and I don't see any reference to DEST records... I ask as I was digging around a memory sample that I generated to look at IE records, and saw this: 0x04517313 a7 c2 cf 11 bf f4 44 45 53 54 00 00 16 00 08 00 ......DEST...... 0x04517323 66 63 03 00 00 00 da 00 68 63 28 00 01 00 82 00 fc......hc(..... 0x04517333 00 00 c2 c5 41 6e 03 c7 d1 01 c2 cd 17 57 2d c7 ....An.......W-. 0x04517343 d1 01 01 00 00 00 00 00 00 00 00 00 00 00 3a 00 ..............:. 0x04517353 32 00 30 00 31 00 36 00 30 00 36 00 31 00 35 00 2.0.1.6.0.6.1.5. 0x04517363 32 00 30 00 31 00 36 00 30 00 36 00 31 00 36 00 2.0.1.6.0.6.1.6. 0x04517373 3a 00 20 00 56 00 61 00 41 00 41 00 41 00 40 00 :...S.a.l.t.r.@. 0x04517383 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 77 00 h.t.t.p.:././.w. 0x04517393 77 00 77 00 2e 00 6e 00 62 00 63 00 2e 00 63 00 w.w...n.b.c...c. 0x045173a3 6f 00 6d 00 2f 00 00 00 4e 00 42 00 43 00 20 00 o.m./...N.B.C... 0x045173b3 54 00 56 00 20 00 4e 00 65 00 74 00 77 00 6f 00 T.V...N.e.t.w.o. 0x045173c3 72 00 6b 00 20 00 2d 00 20 00 53 00 68 00 6f 00 r.k...-...S.h.o. 0x045173d3 77 00 73 00 2c 00 20 00 45 00 70 00 69 00 73 00 w.s.,...E.p.i.s. 0x045173e3 6f 00 64 00 65 00 73 00 2c 00 20 00 53 00 63 00 o.d.e.s.,...S.c. 0x045173f3 68 00 65 00 64 00 75 00 6c 00 65 00 00 00 00 00 h.e.d.u.l.e..... The strings are in unicode, but you can see the DEST marker followed by binary timestamps, followed by the traditional hist format of DATEDATE:machine@URL .... If DEST records don't appear on disk, then maybe they are a memory-only data structure? I would like to convert carving for these into a Volatility plugin, but I want to make sure I understand any prior work on them first. -- Thanks, Andrew (@attrc)