bannlyst wrote:
Me and a fellow student are currently working on our last year thesis of BSc IT-Forensics and Information security. We are currently looking into Internet Explorer 10 artifacts using Windows 7. We would like to know if some of you have come across IE10 during an investigation and what information you managed to parse from the webcachev01.dat or webcachev24.dat. Did you only use EnCase (or other) or did you use some form of database viewer during the examination?
Best regards
Hi bannlyst,
Please note that there could also be a WebCacheV16.dat file, depending on the version of Windows 8/IE10 that is present.
Encase/FTK do not have native support for these files, but there are a couple free tools that will open JetBlue/ESE databases, below are some links:
http://www.nirsoft.net/utils/ese_database_view.html
http://www.woanware.co.uk/?page_id=89
These files generally are in a "dirty" state and need to be repaired prior to opening. You can do this with the Windows command line utility "esentutl", using the "/p" (repair) option (you can contact me directly for more info on this utility if needed). However, the Nirsoft utility does a good job of working around this in many cases.
Also, our software IEF ( http://www.magnetforensics.com ) can parse these databases, but I assume you were looking for something more manual to use in your thesis.
Hope that helps,
Jad
↧