Forensicsforensicsie-cacheindex.datinternet-explorer

pasco

Pasco is a forensic tool that examines Microsoft Internet Explorer cache files (index.dat) and extracts information into a field-separated format for spreadsheet analysis. It is useful in forensics investigations.

Description

Pasco is designed for forensic analysis of Internet Explorer cache files, specifically parsing the index.dat files produced by Microsoft Internet Explorer. It outputs the parsed content in a field-separated format that can be easily loaded into a spreadsheet for further examination.

This tool is particularly valuable in digital forensics investigations where historical web activity from IE browsers needs to be recovered and analyzed. Investigators can use it to uncover visited URLs, timestamps, and other cached data that may provide evidence in cases.

The package is lightweight, with an installed size of 34 KB, and depends only on libc6.

How It Works

Pasco parses the index.dat cache file from Microsoft Internet Explorer, extracting records such as activity logs. It supports undeleting activity records and uses a configurable field delimiter (TAB by default) to output data in a format suitable for spreadsheets.

Installation

bash

sudo apt install pasco

Flags

-dUndelete Activity Records

-tField Delimiter (TAB by default)

Examples

Display usage information and available options

pasco -h

Parse the specified index.dat file using default TAB delimiter

pasco index.dat

Parse index.dat and undelete activity records

pasco -d index.dat

Parse index.dat using comma as field delimiter

pasco -t ',' index.dat

Parse index.dat, undelete records, and use semicolon delimiter

pasco -d -t ';' index.dat

Analyze index.dat from a specific cache path

pasco /path/to/cache/index.dat

Updated 2026-04-16kali.org ↗