I have found a considerable amount relevant data within a file called edb00005.log. This file is located in the user\"target"\appdata\local\microsoft\windows\webcache\ directory. IEF pointed me to this location by parsing three porn urls, but I'd like to parse the whole file. I'm able to view it in encase and manually decode dates and urls, but again, if I could parse the entire file to see what's there a bit easier it would be nice.
Apologies upfront if the answer should be obvious. I have a habit at staring these things in the face for a while, - like a pig staring at a wristwatch.
I've googled around a bit, but my google-fu is weak today.
That should be a log file for the Webcache EDB database, typically index.dat (it depends on version of Explorer, new ones use V01 or V24).
Is it around 5 Mb, right?
You should be able (on a copy of course) to merge the info in the .log to the .dat file, see this (which is about the newer Intenet Explorer 10, but the basics should be similar ? )
http//articles.forensicfocus.com/2013/12/10/forensic-analysis-of-the-ese-database-in-internet-explorer-10/
jaclaz
Excellent Article, thanks for the help. After several hours of manually parsing and getting to know this file I learned that IEF parses this data quite well!
From what I understand the edbxxxxxx.log file is a back up of the webcachev01.dat file although I could not figure out how to manually merge/convert it back.
Again, IEF verified all the work I put into this file…
Thanks and I hope this may help someone else.
Also, before I forget, these might be useful (for future needs)
http//
http//
jaclaz
You can attempt to update the database file (WebCacheV##.dat) from the log files by using the recovery option with esentutl. As well as the log files, you will also need the .chk file (and maybe the .jrs files), which are usually in the same location as the database. I assume the database will also need to be in a ‘Dirty Shutdown’ state to begin with.
Because the log files contain the fullpath to the database directory, and you have presumably extracted the files from a forensic image to a new location, you will need to specify the new directory path (not filepath) when using the recovery command. So, if all the required files are in the same path (e.g. C\Exported Webcache) and if the first three letters of the log files are ‘edb’ (sometimes ‘V01’), try using the command
esentutl /r edb /l “C\Exported Webcache” /s “C\Exported Webcache” /d “C\Exported Webcache”
I guess it’s possible that some records may not be updated to the database (perhaps because the record has already been deleted???), so IEF may be your only option in some cases. It’s also possible that you may be left with fewer records in the database after the recovery.
Another thing to note is that the recovery may fail if the version of the ESE engine that created the database is newer than the version on your workstation.
I wrote a blog post a few months ago that discusses some of these issues.
The links provided by jaclaz are extremely useful sources of information in regards to these databases.
I hope some of this is useful
Oll