Solved

webcachev01.dat viewer

Posted on 2015-01-06
4
4,728 Views
Last Modified: 2015-01-29
can anyone recommend a good free webcachev01.dat viewer for IE history. The files have been pulled from a copy of a users PC, so I need something that can analyse them and give a list of websites visited. I cant seem to find much through Google searches in this area.
0
Comment
Question by:pma111
  • 2
4 Comments
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 167 total points
ID: 40534134
You need to make sure you may do what you plan to do as it targets private data - even if at work, even if the workers know they may only use browsers for work matters.
That said, http://www.nirsoft.net/utils/iehv.html might help, though it does not target the webcache file, it will allow an administrator to read out the browsing history of another user's profile without having his password.  In order to view the history of IE10/IE11 , you can use http://www.nirsoft.net/utils/browsing_history_view.html
0
 
LVL 61

Accepted Solution

by:
btan earned 167 total points
ID: 40535089
To add another mean to study this data would be by parsing this webcachev01.dat (that is a Extensible Storage Engine (ESE) or known as JET Blue database). In fact there is an paper running through the environment setup and went in depth into dissecting the ESE database. It shared the use of possible tools (and even WinHex under section 4.5) like

a) ESEDatabaseView by Nirsoft built to access ESE databases (see section 5.3)
http://www.nirsoft.net/utils/ese_database_view.html

b) wdsCarve inspect and carve the contents of an ESE database (see section 6.2) which may be useful to consider it to recover InPrivate browsing history. However, this tool is only available to forensic investigators and researchers from the author.

Paper - Forensic analysis of the ESE database in Internet Explorer 10
http://articles.forensicfocus.com/2013/12/10/forensic-analysis-of-the-ese-database-in-internet-explorer-10/

Other is really on big effort in data parsing and formatting which that is likely the last resort if need to drill further ...
https://cyberarms.wordpress.com/2012/08/21/windows-8-forensics-internet-cache-history/
0
 
LVL 38

Assisted Solution

by:BillDL
BillDL earned 166 total points
ID: 40542653
IECacheView by Nir Sofer.
http://www.nirsoft.net/utils/ie_cache_viewer.html
Standalone EXE once unzipped to its own folder.
Set preferences under View and Options menus.
File menu > Select Cache Folder.
Default will be the current user's IE "Temporary Internet Files" folder.
Browse to the folder containing the webcachev01.dat file, which should preferably be in a folder on its own.
Program should read the file and show the names of the files, the file types, the URLs they were loaded from, the relevant times and dates, the temporary internet files folder they were cached to, and a few other details.  It allows you to save out a report.  If the webcachev01.dat is in a folder of its own, the files will obviously show as "missing file"="yes", but if the webcachev01.dat is still in its original folder structure with some of the cached files in place as they were, then you may be able to open them directly from the program interface.  Otherwise you can open the relevant URLs to the files in the default browser.
0
 
LVL 61

Expert Comment

by:btan
ID: 40542734
BrowsingHistoryView and IECacheView as mentioned by McKnife and BillDL from Nirsoft are good to read off the cache and history as the author has updated that. Including the ESEDatabaseView (http://dig4n6.blogspot.sg/2012/07/attacking-webcachev24-with-esedbviewer.html) also from Nirsoft.

Just a small note, if the IE10 is running and you try using the util concurrently, the file (WebCacheV24.dat or WebCacheV01.dat) is locked by taskhost.exe. The dat file is not available for util reading. The author of the tools suggested Shadow Volume Copy to work off the copy or alternately run BrowsingHistoryView.exe /UseVolumeShadowCopy
http://blog.nirsoft.net/2012/12/08/a-few-words-about-the-cache-history-on-internet-explorer-10/

The dat files typical path is %LOCALAPPDATA%\Microsoft\Windows\WebCache\
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now