Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

WebCacheV01.dat Internet History Decoder

This script parses history tables from WebCacheV01.dat Extensible Storage Engine database-files.

The script was originally created to decode the visit-count value displayed by Internet Explorer. This value is thought to be stored in, or closely allied to, a serialized property storage (SPS) value with an ID of 6 located in the ResponseHeaders stream of records contained within the Internet Explorer medium-integrity history-table, which is identified by a partition ID value of 'M' in the WebCacheV01.dat Containers table.

The script has since been expanded to parse the records from all WebCacheV01.dat history tables including those maintained by the Edge browser. These records will also contain the aforementioned SPS value, but care should be taken with regards to the interpretation of that value; see the script's internal help documentation for more details.

If the user take takes the option to process tagged or selected files, the script will attempt to parse each file's structure regardless of its name. Otherwise it will parse only WebCacheV01.dat files.

The script provides output in the form of bookmarks and a tab-delimited spreadsheet. Run-time feedback is provided via the console window.

Dates originating from Extensible Storage Engine record-fields are presented as GMT. The date stored in SPS property ID #24 (which is believed to be the actual last-visit date - the AccessedTime column appears to be when the record was last accessed) is presented in an unadjusted format; tests indicate that it is stored as local-time.

The script does not use the Extensible Storage Engine (ESE) API provided by Windows. It should, in the main, parse the aforementioned records properly although there's a small chance that this may not be the case for fields that contain large amounts of data. The data contained within each of these fields is stored separately in long value (LV) database page.

It's important to note that the script does not parse transaction log files. These may contain transactions that have yet to be written to the main database file. If the examiner wishes to test the script on his/her own system it may be necessary to first logout or reboot to see the values displayed by Internet Explorer and Edge.

This script has been tested with Internet Explorer 11 under Windows 7. It has also been tested with Internet Explorer 11 and Edge running under Window 8.1 and 10.

Tuition regarding use of the script and the data it produces is available on the GSI DFIR350 Internet-based Investigations with EnCase training course.

Download Now



Version: 2.2.0
Tested with:
EnCase Forensic 8.07
Developer: Simon Key
Category: Artifact

9974 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

Cortana Search Decoder

Decodes the search terms stored in IndexedDB.edb files used by the Microsoft Windows Cortana search function.
By Simon Key
7638 Downloads
App
Artifact

Search For Valid Bitcoin Addresses

This EnScript searches entries and records for valid BitCoin addresses.
By Simon Key
6717 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
381 Downloads
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
226 Downloads
App