Solved

webcachev01.dat viewer

Posted on 2015-01-06
4
5,483 Views
Last Modified: 2015-01-29
can anyone recommend a good free webcachev01.dat viewer for IE history. The files have been pulled from a copy of a users PC, so I need something that can analyse them and give a list of websites visited. I cant seem to find much through Google searches in this area.
0
Comment
Question by:pma111
  • 2
4 Comments
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 167 total points
ID: 40534134
You need to make sure you may do what you plan to do as it targets private data - even if at work, even if the workers know they may only use browsers for work matters.
That said, http://www.nirsoft.net/utils/iehv.html might help, though it does not target the webcache file, it will allow an administrator to read out the browsing history of another user's profile without having his password.  In order to view the history of IE10/IE11 , you can use http://www.nirsoft.net/utils/browsing_history_view.html
0
 
LVL 62

Accepted Solution

by:
btan earned 167 total points
ID: 40535089
To add another mean to study this data would be by parsing this webcachev01.dat (that is a Extensible Storage Engine (ESE) or known as JET Blue database). In fact there is an paper running through the environment setup and went in depth into dissecting the ESE database. It shared the use of possible tools (and even WinHex under section 4.5) like

a) ESEDatabaseView by Nirsoft built to access ESE databases (see section 5.3)
http://www.nirsoft.net/utils/ese_database_view.html

b) wdsCarve inspect and carve the contents of an ESE database (see section 6.2) which may be useful to consider it to recover InPrivate browsing history. However, this tool is only available to forensic investigators and researchers from the author.

Paper - Forensic analysis of the ESE database in Internet Explorer 10
http://articles.forensicfocus.com/2013/12/10/forensic-analysis-of-the-ese-database-in-internet-explorer-10/

Other is really on big effort in data parsing and formatting which that is likely the last resort if need to drill further ...
https://cyberarms.wordpress.com/2012/08/21/windows-8-forensics-internet-cache-history/
0
 
LVL 38

Assisted Solution

by:BillDL
BillDL earned 166 total points
ID: 40542653
IECacheView by Nir Sofer.
http://www.nirsoft.net/utils/ie_cache_viewer.html
Standalone EXE once unzipped to its own folder.
Set preferences under View and Options menus.
File menu > Select Cache Folder.
Default will be the current user's IE "Temporary Internet Files" folder.
Browse to the folder containing the webcachev01.dat file, which should preferably be in a folder on its own.
Program should read the file and show the names of the files, the file types, the URLs they were loaded from, the relevant times and dates, the temporary internet files folder they were cached to, and a few other details.  It allows you to save out a report.  If the webcachev01.dat is in a folder of its own, the files will obviously show as "missing file"="yes", but if the webcachev01.dat is still in its original folder structure with some of the cached files in place as they were, then you may be able to open them directly from the program interface.  Otherwise you can open the relevant URLs to the files in the default browser.
0
 
LVL 62

Expert Comment

by:btan
ID: 40542734
BrowsingHistoryView and IECacheView as mentioned by McKnife and BillDL from Nirsoft are good to read off the cache and history as the author has updated that. Including the ESEDatabaseView (http://dig4n6.blogspot.sg/2012/07/attacking-webcachev24-with-esedbviewer.html) also from Nirsoft.

Just a small note, if the IE10 is running and you try using the util concurrently, the file (WebCacheV24.dat or WebCacheV01.dat) is locked by taskhost.exe. The dat file is not available for util reading. The author of the tools suggested Shadow Volume Copy to work off the copy or alternately run BrowsingHistoryView.exe /UseVolumeShadowCopy
http://blog.nirsoft.net/2012/12/08/a-few-words-about-the-cache-history-on-internet-explorer-10/

The dat files typical path is %LOCALAPPDATA%\Microsoft\Windows\WebCache\
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Adoption of Microsoft’s Enterprise Mobility and Security solution and Office 365 will re-order the File Sync and Share market Microsoft has stated that its Enterprise Mobility + Security (EMS) is the fastest growing product in the history of the …
As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now