WebCacheV01.dat Internet History Decoder
This script parses history tables from WebCacheV01.dat Extensible Storage Engine database-files.
The script was originally created to decode the visit-count value displayed by Internet Explorer. This value is thought to be stored in, or closely allied to, a serialized property storage (SPS) value with an ID of 6 located in the ResponseHeaders stream of records contained within the Internet Explorer medium-integrity history-table, which is identified by a partition ID value of 'M' in the WebCacheV01.dat Containers table.
The script has since been expanded to parse the records from all WebCacheV01.dat history tables including those maintained by the Edge browser. These records will also contain the aforementioned SPS value, but care should be taken with regards to the interpretation of that value; see the script's internal help documentation for more details.
If the user take takes the option to process tagged or selected files, the script will attempt to parse each file's structure regardless of its name. Otherwise it will parse only WebCacheV01.dat files.
The script provides output in the form of bookmarks and a tab-delimited spreadsheet. Run-time feedback is provided via the console window.
Dates originating from Extensible Storage Engine record-fields are presented as GMT. The date stored in SPS property ID #24 (which is believed to be the actual last-visit date - the AccessedTime column appears to be when the record was last accessed) is presented in an unadjusted format; tests indicate that it is stored as local-time.
The script does not use the Extensible Storage Engine (ESE) API provided by Windows. It should, in the main, parse the aforementioned records properly although there's a small chance that this may not be the case for fields that contain large amounts of data. The data contained within each of these fields is stored separately in long value (LV) database page.
It's important to note that the script does not parse transaction log files. These may contain transactions that have yet to be written to the main database file. If the examiner wishes to test the script on his/her own system it may be necessary to first logout or reboot to see the values displayed by Internet Explorer and Edge.
This script has been tested with Internet Explorer 11 under Windows 7. It has also been tested with Internet Explorer 11 and Edge running under Window 8.1 and 10.
Tuition regarding use of the script and the data it produces is available on the GSI DFIR350 Internet-based Investigations with EnCase training course.
YOU MAY ALSO LIKE