WebCacheV01.dat per...
 
Notifications
Clear all

WebCacheV01.dat permissions query.  

  RSS
cb122
(@cb122)
New Member

I am trying to identify tools to analyse and produce a report of web history report from the IE 11 browser on a Windows 7 based PC. I've got an image copy of another users folder for test purposes, this is a test account:

%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\

There are a few free tools I've seen recommended from other sites, namely those on the Nirsoft website. Using these tools, you can point the app towards a set of folders taken from a remote PC, rather than loading the local history from the analysis machine. However from my testing, when you supply the path to the Webcache folder taken from the remote PC, than has been obtained from another users device, the Nirsoft tool seems to only produce a very limited set of history data which was not representative of what was expected (what I believe to be stored - which was in excess of a few weeks worth of history that can be seen from the IE Browser itself).

This is purely for testing purposes, but I have read the WebCacheV01.dat file when copied (imaged) from a remote PC relating to another user, and supplied to freeware tools such as those on the Nirsoft site, will only load a limited/blank report as the tool really needs to be run under the context of the user who the WebCacheV01.dat history belongs? Is this correct, and/or what tools do you use for analysis of the WebCacheV01.dat file? How do you overcome the permissions challenges if supplying the file to a tool run under a different user account?

This makes sense - as if I run the tool from my own machine it loads the history report fine, going back weeks, but this is ran under the same user context of running the Nirsoft tool as using the Browser.

In a nutshell - if ALL you have is the webcache folder for a 3rd party, will you ever be able to get a full report of the history stored within the WebCacheV01.dat file? Or is a change of strategy required.

This topic was modified 4 days ago by cb122
Quote
Posted : 16/09/2020 3:50 pm
jaclaz
(@jaclaz)
Community Legend

Are you sure you are looking at *all* and to the *right* "containers"?

And are you using which specific Nirsoft tool?

Compare with:

https://cyberforensicator.com/2017/02/07/windows-10-forensics/

For permissions you should be able to run *any* tool under System or TrustedInstaller credentials, check:

https://msfn.org/board/topic/181190-how-to-overwrite-dll-file-in-system32/

jaclaz

ReplyQuote
Posted : 17/09/2020 12:59 pm
cb122 liked
cb122
(@cb122)
New Member

@jaclaz It wasnt ESEDatabaseView.exe I was running, so that article in itself has highlighted another tool that I wasn't aware of and seems very useful.

ReplyQuote
Posted : 18/09/2020 3:21 pm
jaclaz
(@jaclaz)
Community Legend

Check also:

https://www.sans.org/blog/ese-databases-are-dirty/

maybe the issue in your case is not merging the V01 log files.

jaclaz

ReplyQuote
Posted : 18/09/2020 6:50 pm
Share: