Solved

webcachev01.dat viewer

Posted on 2015-01-06
4
7,238 Views
Last Modified: 2015-01-29
can anyone recommend a good free webcachev01.dat viewer for IE history. The files have been pulled from a copy of a users PC, so I need something that can analyse them and give a list of websites visited. I cant seem to find much through Google searches in this area.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 167 total points
ID: 40534134
You need to make sure you may do what you plan to do as it targets private data - even if at work, even if the workers know they may only use browsers for work matters.
That said, http://www.nirsoft.net/utils/iehv.html might help, though it does not target the webcache file, it will allow an administrator to read out the browsing history of another user's profile without having his password.  In order to view the history of IE10/IE11 , you can use http://www.nirsoft.net/utils/browsing_history_view.html
0
 
LVL 64

Accepted Solution

by:
btan earned 167 total points
ID: 40535089
To add another mean to study this data would be by parsing this webcachev01.dat (that is a Extensible Storage Engine (ESE) or known as JET Blue database). In fact there is an paper running through the environment setup and went in depth into dissecting the ESE database. It shared the use of possible tools (and even WinHex under section 4.5) like

a) ESEDatabaseView by Nirsoft built to access ESE databases (see section 5.3)
http://www.nirsoft.net/utils/ese_database_view.html

b) wdsCarve inspect and carve the contents of an ESE database (see section 6.2) which may be useful to consider it to recover InPrivate browsing history. However, this tool is only available to forensic investigators and researchers from the author.

Paper - Forensic analysis of the ESE database in Internet Explorer 10
http://articles.forensicfocus.com/2013/12/10/forensic-analysis-of-the-ese-database-in-internet-explorer-10/

Other is really on big effort in data parsing and formatting which that is likely the last resort if need to drill further ...
https://cyberarms.wordpress.com/2012/08/21/windows-8-forensics-internet-cache-history/
0
 
LVL 38

Assisted Solution

by:BillDL
BillDL earned 166 total points
ID: 40542653
IECacheView by Nir Sofer.
http://www.nirsoft.net/utils/ie_cache_viewer.html
Standalone EXE once unzipped to its own folder.
Set preferences under View and Options menus.
File menu > Select Cache Folder.
Default will be the current user's IE "Temporary Internet Files" folder.
Browse to the folder containing the webcachev01.dat file, which should preferably be in a folder on its own.
Program should read the file and show the names of the files, the file types, the URLs they were loaded from, the relevant times and dates, the temporary internet files folder they were cached to, and a few other details.  It allows you to save out a report.  If the webcachev01.dat is in a folder of its own, the files will obviously show as "missing file"="yes", but if the webcachev01.dat is still in its original folder structure with some of the cached files in place as they were, then you may be able to open them directly from the program interface.  Otherwise you can open the relevant URLs to the files in the default browser.
0
 
LVL 64

Expert Comment

by:btan
ID: 40542734
BrowsingHistoryView and IECacheView as mentioned by McKnife and BillDL from Nirsoft are good to read off the cache and history as the author has updated that. Including the ESEDatabaseView (http://dig4n6.blogspot.sg/2012/07/attacking-webcachev24-with-esedbviewer.html) also from Nirsoft.

Just a small note, if the IE10 is running and you try using the util concurrently, the file (WebCacheV24.dat or WebCacheV01.dat) is locked by taskhost.exe. The dat file is not available for util reading. The author of the tools suggested Shadow Volume Copy to work off the copy or alternately run BrowsingHistoryView.exe /UseVolumeShadowCopy
http://blog.nirsoft.net/2012/12/08/a-few-words-about-the-cache-history-on-internet-explorer-10/

The dat files typical path is %LOCALAPPDATA%\Microsoft\Windows\WebCache\
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Part One of the two-part Q&A series with MalwareTech.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question