IDX-URL-Extractor (Java Cache Analyzer)

Scans Java Applet Cache .idx files to extract URLs and timestamps for forensic analysis.

Overview

A Delphi CLI that parses .idx files (used by Java for caching applets) and extracts:

• URLs (excluding trusted domains: verisign.com, thawte.com).
• Timestamps in DD Mon YYYY HH:MM:SS format.

Output format:
<timestamp>|<URL>|<full_path_to_idx_file>.

Details

• Skips files >100 KB (adjustable via MAX_BYTES_IDX constant).
• Recursive directory scanning.
• Supports manual path input or autosearch across all user profiles(digs there via windows registry).
• All user profiles were available until windows 8 was shown up, modern winsows versions require more effor. I already gave my money so this didn't matter after all :).

HOw to use

idxurlextractor.exe -p "C:\path\to\java\cache"  # Manual path input  
idxurlextractor.exe -a                          # Scan all user profiles  

NOTICE: Java Cache Paths

• Windows XP:
  C:\Documents and Settings\<user>\Local Settings\Application Data\Sun\Java\Deployment\cache
• Windows 7+:
  C:\Users\<user>\AppData\LocalLow\Sun\Java\Deployment\cache

📂 Dependencies

• regUtils.pas (registry helper module). - Local submodule
• PerlRegEx library (for regex matching). - Must be installed

🔗 About DFIR

• Investigate malicious Java applet downloads.
• Hunt for exploitation artifacts (e.g., CVE-2012-4681).