webcachev01.dat viewer

can anyone recommend a good free webcachev01.dat viewer for IE history. The files have been pulled from a copy of a users PC, so I need something that can analyse them and give a list of websites visited. I cant seem to find much through Google searches in this area.
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
To add another mean to study this data would be by parsing this webcachev01.dat (that is a Extensible Storage Engine (ESE) or known as JET Blue database). In fact there is an paper running through the environment setup and went in depth into dissecting the ESE database. It shared the use of possible tools (and even WinHex under section 4.5) like

a) ESEDatabaseView by Nirsoft built to access ESE databases (see section 5.3)

b) wdsCarve inspect and carve the contents of an ESE database (see section 6.2) which may be useful to consider it to recover InPrivate browsing history. However, this tool is only available to forensic investigators and researchers from the author.

Paper - Forensic analysis of the ESE database in Internet Explorer 10

Other is really on big effort in data parsing and formatting which that is likely the last resort if need to drill further ...
McKnifeConnect With a Mentor Commented:
You need to make sure you may do what you plan to do as it targets private data - even if at work, even if the workers know they may only use browsers for work matters.
That said, http://www.nirsoft.net/utils/iehv.html might help, though it does not target the webcache file, it will allow an administrator to read out the browsing history of another user's profile without having his password.  In order to view the history of IE10/IE11 , you can use http://www.nirsoft.net/utils/browsing_history_view.html
BillDLConnect With a Mentor Commented:
IECacheView by Nir Sofer.
Standalone EXE once unzipped to its own folder.
Set preferences under View and Options menus.
File menu > Select Cache Folder.
Default will be the current user's IE "Temporary Internet Files" folder.
Browse to the folder containing the webcachev01.dat file, which should preferably be in a folder on its own.
Program should read the file and show the names of the files, the file types, the URLs they were loaded from, the relevant times and dates, the temporary internet files folder they were cached to, and a few other details.  It allows you to save out a report.  If the webcachev01.dat is in a folder of its own, the files will obviously show as "missing file"="yes", but if the webcachev01.dat is still in its original folder structure with some of the cached files in place as they were, then you may be able to open them directly from the program interface.  Otherwise you can open the relevant URLs to the files in the default browser.
btanExec ConsultantCommented:
BrowsingHistoryView and IECacheView as mentioned by McKnife and BillDL from Nirsoft are good to read off the cache and history as the author has updated that. Including the ESEDatabaseView (http://dig4n6.blogspot.sg/2012/07/attacking-webcachev24-with-esedbviewer.html) also from Nirsoft.

Just a small note, if the IE10 is running and you try using the util concurrently, the file (WebCacheV24.dat or WebCacheV01.dat) is locked by taskhost.exe. The dat file is not available for util reading. The author of the tools suggested Shadow Volume Copy to work off the copy or alternately run BrowsingHistoryView.exe /UseVolumeShadowCopy

The dat files typical path is %LOCALAPPDATA%\Microsoft\Windows\WebCache\
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.