Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

webcachev01.dat viewer

Posted on 2015-01-06
4
Medium Priority
?
7,942 Views
Last Modified: 2015-01-29
can anyone recommend a good free webcachev01.dat viewer for IE history. The files have been pulled from a copy of a users PC, so I need something that can analyse them and give a list of websites visited. I cant seem to find much through Google searches in this area.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 668 total points
ID: 40534134
You need to make sure you may do what you plan to do as it targets private data - even if at work, even if the workers know they may only use browsers for work matters.
That said, http://www.nirsoft.net/utils/iehv.html might help, though it does not target the webcache file, it will allow an administrator to read out the browsing history of another user's profile without having his password.  In order to view the history of IE10/IE11 , you can use http://www.nirsoft.net/utils/browsing_history_view.html
0
 
LVL 64

Accepted Solution

by:
btan earned 668 total points
ID: 40535089
To add another mean to study this data would be by parsing this webcachev01.dat (that is a Extensible Storage Engine (ESE) or known as JET Blue database). In fact there is an paper running through the environment setup and went in depth into dissecting the ESE database. It shared the use of possible tools (and even WinHex under section 4.5) like

a) ESEDatabaseView by Nirsoft built to access ESE databases (see section 5.3)
http://www.nirsoft.net/utils/ese_database_view.html

b) wdsCarve inspect and carve the contents of an ESE database (see section 6.2) which may be useful to consider it to recover InPrivate browsing history. However, this tool is only available to forensic investigators and researchers from the author.

Paper - Forensic analysis of the ESE database in Internet Explorer 10
http://articles.forensicfocus.com/2013/12/10/forensic-analysis-of-the-ese-database-in-internet-explorer-10/

Other is really on big effort in data parsing and formatting which that is likely the last resort if need to drill further ...
https://cyberarms.wordpress.com/2012/08/21/windows-8-forensics-internet-cache-history/
0
 
LVL 38

Assisted Solution

by:BillDL
BillDL earned 664 total points
ID: 40542653
IECacheView by Nir Sofer.
http://www.nirsoft.net/utils/ie_cache_viewer.html
Standalone EXE once unzipped to its own folder.
Set preferences under View and Options menus.
File menu > Select Cache Folder.
Default will be the current user's IE "Temporary Internet Files" folder.
Browse to the folder containing the webcachev01.dat file, which should preferably be in a folder on its own.
Program should read the file and show the names of the files, the file types, the URLs they were loaded from, the relevant times and dates, the temporary internet files folder they were cached to, and a few other details.  It allows you to save out a report.  If the webcachev01.dat is in a folder of its own, the files will obviously show as "missing file"="yes", but if the webcachev01.dat is still in its original folder structure with some of the cached files in place as they were, then you may be able to open them directly from the program interface.  Otherwise you can open the relevant URLs to the files in the default browser.
0
 
LVL 64

Expert Comment

by:btan
ID: 40542734
BrowsingHistoryView and IECacheView as mentioned by McKnife and BillDL from Nirsoft are good to read off the cache and history as the author has updated that. Including the ESEDatabaseView (http://dig4n6.blogspot.sg/2012/07/attacking-webcachev24-with-esedbviewer.html) also from Nirsoft.

Just a small note, if the IE10 is running and you try using the util concurrently, the file (WebCacheV24.dat or WebCacheV01.dat) is locked by taskhost.exe. The dat file is not available for util reading. The author of the tools suggested Shadow Volume Copy to work off the copy or alternately run BrowsingHistoryView.exe /UseVolumeShadowCopy
http://blog.nirsoft.net/2012/12/08/a-few-words-about-the-cache-history-on-internet-explorer-10/

The dat files typical path is %LOCALAPPDATA%\Microsoft\Windows\WebCache\
0

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question