Forums
Main Category
General (Technical,...
Internet Explorer 1...
 
Notifications
Clear all

Internet Explorer 10 webcache JETblue database

 
General (Technical, Procedural, Software, Hardware etc.)
5 Posts
3 Users
0 Reactions
932 Views
RSS
 bannlyst
(@bannlyst)
New Member
Joined: 13 years ago
Posts: 4
Topic starter 26/03/2013 4:40 pm  

Me and a fellow student are currently working on our last year thesis of BSc IT-Forensics and Information security. We are currently looking into Internet Explorer 10 artifacts using Windows 7. We would like to know if some of you have come across IE10 during an investigation and what information you managed to parse from the webcachev01.dat or webcachev24.dat. Did you only use EnCase (or other) or did you use some form of database viewer during the examination?

Best regards


   
Quote
 Belkasoft
(@belkasoft)
Estimable Member
Joined: 17 years ago
Posts: 169
26/03/2013 7:21 pm  

IE10 uses a new database format compared to earlier versions of IE. I believe it's the same format as in e.g. Windows Mail. Anyway, Belkasoft Evidence Center can parse the files you're interested in. You can PM me for a fully-featured demo.


   
ReplyQuote
MagnetForensics
 MagnetForensics
(@magnetforensics)
Eminent Member
Joined: 16 years ago
Posts: 40
26/03/2013 7:34 pm  

Me and a fellow student are currently working on our last year thesis of BSc IT-Forensics and Information security. We are currently looking into Internet Explorer 10 artifacts using Windows 7. We would like to know if some of you have come across IE10 during an investigation and what information you managed to parse from the webcachev01.dat or webcachev24.dat. Did you only use EnCase (or other) or did you use some form of database viewer during the examination?

Best regards

Hi bannlyst,

Please note that there could also be a WebCacheV16.dat file, depending on the version of Windows 8/IE10 that is present.

Encase/FTK do not have native support for these files, but there are a couple free tools that will open JetBlue/ESE databases, below are some links

http//www.nirsoft.net/utils/ese_database_view.html
http//www.woanware.co.uk/?page_id=89

These files generally are in a "dirty" state and need to be repaired prior to opening. You can do this with the Windows command line utility "esentutl", using the "/p" (repair) option (you can contact me directly for more info on this utility if needed). However, the Nirsoft utility does a good job of working around this in many cases.

Also, our software IEF ( http//www.magnetforensics.com ) can parse these databases, but I assume you were looking for something more manual to use in your thesis.

Hope that helps,
Jad


   
ReplyQuote
 bannlyst
(@bannlyst)
New Member
Joined: 13 years ago
Posts: 4
Topic starter 27/03/2013 7:22 am  

Thanks for the responses and tips on software guys, I will look closer on all the linked software tomorrow when I get to "the lab". We have looked into the whole Dirty/clean aspect and yes, nirsoft's tool works good eventhough the DB is "dirty". We haven't come across the v16 yet, are you positive this is also present in Windows 7 or is it only present with some Windows 8 versions (or simply depending on the IE10 version)?

Best regards


   
ReplyQuote
MagnetForensics
 MagnetForensics
(@magnetforensics)
Eminent Member
Joined: 16 years ago
Posts: 40
27/03/2013 7:24 am  

bannlyst,

I've only seen it on Windows 8, and only the WebCacheV01.dat file on Windows 7.

Regards,
Jad


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: