WebCacheV01.dat - o...
 
Notifications
Clear all

WebCacheV01.dat - opened files with Windows Explorer?  

  RSS
donedo
(@donedo)
New Member

Good morning,

beside the fact that the file WebCacheV01.dat stores information about which websites have been visited with IE/Edge (and some other stuff like windows searches), will opened files via windows explorer also be logged/stored?

I am asking because I see a lot of entries like "file///C/Users/Username/somefolder/20.jpg". Is this a hint for a file being opened with IE/Edge or with Windows Explorer? Could it have been opened with either program and it is not possible to tell which one has been used (IE/Edge or Windows Explorer)?

Regards,
donedo

Quote
Posted : 16/01/2020 5:53 am
randomaccess
(@randomaccess)
Active Member

I would highly recommend testing for yourself.

But yes, webcache will track files opened even if they aren't opened with IE/Edge. You can attempt to determine the program used to open a file by looking at Jumplists, or building a timeline of program execution and file access artefacts (among other methods)

Also recommend looking at the SANS Windows Forensic Analysis poster (and taking FOR500! full disclosure, i also work for SANS)

ReplyQuote
Posted : 16/01/2020 10:29 am
donedo
(@donedo)
New Member

Thanks for your answer.

So, it is not possible to tell which program was used to open entries like "file///C/Users/Username/somefolder/20.jpg" by looking at WebCacheV01.dat only?

I am aware that an Investigator should have a look at other artifacts as well (if they are available).

ReplyQuote
Posted : 16/01/2020 10:41 am
(@keydet89)
Community Legend

So, it is not possible to tell which program was used to open entries like "file///C/Users/Username/somefolder/20.jpg" by looking at WebCacheV01.dat only?

As recommended, I'd suggest testing it yourself.

Just off the top of my head, if you opened the JPG in GIMP or MS-Paint, I can't for the life of me imaging why it would show up in the browser history file.

ReplyQuote
Posted : 16/01/2020 1:59 pm
donedo
(@donedo)
New Member

I think you misunderstood me slightly. I was never talking about opening an image from within Gimp or Paint (that is having Gimp open and using Gimps file open dialog). My question was always related to opening a file (e.g.) an image via Windows Explorer. It would be totally possible to open an image in Windows Explorer and having Gimp set as your default image viewer. Another option would be to open an image via the context menu via "open with" and then choose Gimp. That is why I was asking if those things appear in WebCacheV01.dat.

ReplyQuote
Posted : 17/01/2020 4:50 am
hommy0
(@hommy0)
Member

Hi

To re-iterate other posters, I would test this for yourself with the options you mention (File Explorer double click and right click Open With)

A tool such as ESEDatabaseViewer from Nirsoft can be used to read the database

https://www.nirsoft.net/utils/ese_database_view.html

However if a file (so in your example an image) is opened using File Explorer, a record of this will be recorded in the WebcacheV01.dat. As you have mentioned the URL will begin with file/// . It does not explicitly mean Internet Explorer / Edge was used to view the file/image.

Windows has recorded this activity for a number of years (it use to be in index.dat files before the webcacheV01.dat), and is extremely useful information relating to user activity.

The Windows Jump List is application specific, so if the image was opened in GIMP etc then the jump list may have this information.

Given the record in the WebcacheV01.dat is time and dated, if you have records with file/// reference you should be able to cross reference this with jump list entries to determine which application was used.

As an aside, Chromium Edge (full release this week) appears to not use the WebcacheV01.dat, instead using a SQLite database - consistent with how Chrome functions!!

Regards

ReplyQuote
Posted : 17/01/2020 9:40 am
Share: