Description: A little known fact about the IE History is that the information stored in the history files is not just related to Internet browsing. The history also records local, removable, and remote (via network shares) file access within Windows Explorer, giving us an excellent means for determining which files and applications were accessed on the system, day by day.
Location:Internet Explorer:
Notes:
Analysis: The versions of Internet Explorer that you are most likely to encounter, IE 10 -
11, store their browser information inside of an ESE database. Unfortunately, the database isn't structured
in a way that makes it easy to manually analyze with a tool like Nirsoft's ESEDatabaseView. Instead I found it
simplier to rely on another Nirsoft utility: BrowsingHistoryView to automatically
parse the data found within WebCacheV01.dat.
We can use BrowsingHistoryView to analyze browsing artifacts from multiple web browsers at once to simplify
our analysis. Launch BrowsingHistoryView --> Configure the length of your query
--> Select Load history from the specified history files
--> Select the ellipses button to open a new dialog box
--> Specify the file locations of the databases you would to analyze. For our use case make
sure to reference WebCacheV*.dat.
You can tell the difference between a website that was visited by a Web Broswer and file that was viewed in
Windows Explorer by the prefix appended to the URL. Files viewed in Windows Explorer will have a prefix of
file:///.