Microsoft's Really Hidden Files, Reveled Hidden files.txt

Microsoft's Really Hidden Files:  A New Look At Forensics. (v2.5b)
By The Riddler
October 14, 2001  (v2.0 finished May 16, 2001; v1.0 finished June 11, 2000)

Written with Windows 9x in mind, but not limited to.

DISCLAIMER:

I will not be liable for any damage or lost information, whether due to
reader's error, or any other reason.

SUMMARY:

There are folders on your computer that Microsoft has tried hard to keep
secret.  Within these folders you will find two major things:  Microsoft
Internet Explorer has been logging all of the sites you have ever visited --
even after you've cleared your history, and Microsoft's Outlook Express has
been logging all of your e-mail correspondence -- even after you've erased
them from your Deleted Items bin.  (This also includes all incoming and
outgoing file attachments.)  And believe me, that's not even the half of it.

When I say these files are hidden well, I really mean it.  If you don't have
any knowledge of DOS then don't plan on finding these files on your own.  I
say this because these files/folders won't be displayed in Windows Explorer at
all -- only DOS.  (Even after you have enabled Windows Explorer to "view all
files.")  And to top it off, the only way to find them in DOS is if you knew
the exact location of them.  Basically, what I'm saying is if you didn't know
the files existed then the chances of you running across them is slim to
slimmer.

It's interesting to note that Microsoft does not explain this behavior
adequately at all.  Just try searching on microsoft.com.

FORWARD:

I know there are some people out there that are already aware of some of the
things I mention.  I also know that most people are not.  The purpose of this
tutorial is teach people what is really going on with Microsoft's products and
how to take control of their privacy again.  This tutorial was written by me,
so if you see a mistake somewhere then it is my mistake, and I apologize.

Thanks for reading.

INDEX:

1) DEFINITIONS AND ACRONYMS
2) WHY YOU SHOULD ERASE THESE FILES
3) HOW TO ERASE THE FILES ASAP
   3.1) If You Own Microsoft Internet Explorer
   3.2) Clearing Your Registry
   3.3) If You Own Outlook Express
   3.4) Slack files
   3.5) Keeping Microsoft's Products
4) STEP-BY-STEP GUIDE THROUGH YOUR HIDDEN FILES (For the savvy.)
5) A LOOK AT OUTLOOK
6) HOW MICROSOFT DOES IT
7) +S MEANS [S]ECRET NOT [S]YSTEM.
8) THE TRUTH ABOUT FIND FAST
   8.1) Removing Find Fast
9) CONTACT INFORMATION AND PGP BLOCKS
   9.1) Recommended reading
10) SPECIAL THANKS
11) REFERENCES

Coming Soon:

� pstores.exe
� Related Windows Tricks.
� The NSA-Key.
� Researching the [Microsoft Update] button.
� Why the temp folders aren't intended to be temporary at all.
� What's with Outlook Express's .dbx database files?
� Win2k support.


1. DEFINITIONS AND ACRONYMS

Well, the best definition I have been able to come up with is the following:

I) A "really hidden" file/folder is one that cannot be seen in Windows
Explorer after enabling it to "view all files," and cannot be seen in MS-DOS
after receiving a proper directory listing from root.

   a) There is at least one loophole to enabling Windows Explorer to see them.
   B) There is at least one loophole to enabling MS-DOS to see them.

(Interesting to note that the "Find: Files or Folders" utility cannot even
search through one of these folders.  It doesn't even exist on the [Browse]
menu.)

II) Distinguishes "really hidden" file/folders from just plain +h[idden] ones,
such as your "MSDOS.SYS" or "Sysbckup" folder.

III) Distinguishes from certain "other" intended hidden files, such as a file
with a name with high ascii characters (eg, "?��?").

DOS = Disk Operating System
MSIE = Microsoft Internet Explorer
TIF = Temporary Internet Files (folder)
HD = Hard Drive
OS = Operating System


2. WHY SHOULD I ERASE THESE FILES?

Just from one of these files I would be able to tell you which web sites you
previously visited, what types of things you search for in search engines, and
probably gather your ethnicity, religion, and sexual preference.  Needless to
say, one can build quite a profile on you from these files.  It has the
potential to expose and humiliate -- putting your marriage, friendship, and
corporation at risk.  Here's one good example of the forensic capabilities...

------------------------------------------------------------------------------

"I've been reading your article as I have a problem with an employee of mine.
He has been using the works pc for the internet and using it to chat and look
at porn sites.  He was then deleting the cookies and history in order to cover
his tracks.  A friend of mine pointed me in the direction of this site and
your article.  I have found it to be incredibly useful,..."

--Concerned Boss, 8/24/01

------------------------------------------------------------------------------


3. HOW TO ERASE THE FILES ASAP

Step by step information on how to erase these files as soon as possible.
This section is recommended for the non-savvy.  Further explanation can be
found in Section 4.0.  Please note that following these next steps will erase
all your cache files and cookies files.  If you use the offline content
feature with MSIE, it will remove this as well.  It will not erase your
bookmarks.


3.1. IF YOU OWN A COPY OF MICROSOFT INTERNET EXPLORER

1) Shut your computer down, and turn it back on.
2) While your computer is booting keep pressing the [F8] key until you are
given an option screen.
3) Choose "Command Prompt Only"  This will take you to real DOS mode.  ME
users must use a bootdisk to get into real DOS mode.
4) When your computer is done booting, you will have a C:\> followed by a
blinking cursor.  Type in this hitting enter after each line (sans
parenthesis):

C:\WINDOWS\SMARTDRV (Loads smartdrive to speed things up.)
CD\
DELTREE/Y TEMP (this line removes temporary files.)
CD WINDOWS
DELTREE/Y COOKIES (This line removes cookies.)
DELTREE/Y TEMP (This removes temporary files.)
DELTREE/Y HISTORY (This line removes your browsing history.)
DELTREE/Y TEMPOR~1

(If this last line doesn't work then type this:)

CD\WINDOWS\APPLIC~1
DELTREE/Y TEMPOR~1

(If this doesn't work then type this:)

CD\WINDOWS\LOCALS~1
DELTREE/Y TEMPOR~1

(If this still does not work, and you are sure you are using MSIE5.x, then
please e-mail me.  Finding the location of these may be difficult and I'd
certainly like to know where else MSIE likes to hide its cache.  I believe
older versions of MSIE keep them under "\windows\content\".)

This last one will take a ridiculous amount of time to process.  The reason it
takes so incredibly long is because there is a ton of semi-useless cache
stored on your HD.


3.2. CLEARING YOUR REGISTRY

It was once believed that the registry is the central database of Windows that
stores and maintains the OS configuration information.  Well, this is wrong.
Apparently it also maintains a bunch of other doo-dah that has absolutely
nothing to do with the configuration.  I won't get into the other stuff, but
for one, your Typed URLs are stored in the registry.

HKEY_USERS/Default/Software/Microsoft/Internet Explorer/TypedURLs/
HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/TypedURLs/

These "Typed URLs" come from MSIE's autocomplete feature.  It records all URLs
that you've typed in manually in order to save you some time filling out the
address field.  By typing "ama" the autocomplete feature might bring up
"amazon.com" for you.  Although, I find it annoying, some people prefer this
feature.  One thing is for sure, however -- it's an obvious privacy risk.  You
wouldn't want a guest to type "ama" and have it autocomplete
"amaturemudwrestlers.com" now would you?

You can clear your Typed URLs out of your registry by doing going to Tools >
Internet Options > Content > [AutoComplete] > and finally [Clear Forms] under
MSIE.  If you do not like the AutoComplete feature then uncheck the
appropriate boxes here.


3.3. IF YOU HAVE OUTLOOK OR OUTLOOK EXPRESS INSTALLED

Microsoft's e-mail clients DO NOT delete your messages until a) you really
know how, and B) you go through the redundant process.  And besides this,
there's the glaring e-mail virus problems (in which virtually all other e-mail
client's are immune to.)  This, alone, should be enough to want to strangle
Slick Willy -- as I like to call him.

My suggestion?

1) Install another e-mail program like Eudora or Pegasus Mail.  Make sure
everything is setup correctly.  (www.eudora.com / www.pmail.com)
2) Backup any e-mail and address books that you wish to save by making use of
the export/import features.
3) Uninstall Outlook.

Warning:  Simply uninstalling Outlook does not erase any of your e-mail
correspondence.  The database files are still there on your hard drive.  To
find them open up a DOS window and type this:

dir *.mbx /s/p
The files you are looking for are:

INBOX.MBX
OUTBOX.MBX
SENTIT~1.MBX
DELETE~1.MBX
DRAFTS.MBX

If these files come up they should be listed in either of these folders:

C:\Windows\Application Data\Microsoft\Outlook Express\Mail\
C:\Program Files\internet mail and news\%USER%\mail\

Now type either of the following (depending on the location of your .mbx
files...)

*Remember, this will erase all your e-mail correspondence so backup what you
want to keep.  By now you should have already imported your mail into Eudora,
or Pegasus Mail.

CD\WINDOWS\APPLIC~1\MICROS~1\OUTLOO~1
DELTREE/Y MAIL

or

CD\PROGRA~1\INTERN~1\%USER%

(replace "%user%" with the proper name.)

DELTREE/Y MAIL

If you have newer versions of Outlook or Outlook Express the databases are
*.dbx, or *.pst files.  Five times as creepy as the *.mbx files.  I recommend
that you take a look at them ...