Internet Explorer History

Description: A little known fact about the IE History is that the information stored in the history files is not just related to Internet browsing. The history also records local, removable, and remote (via network shares) file access within Windows Explorer, giving us an excellent means for determining which files and applications were accessed on the system, day by day.

Location:

Internet Explorer:

• Internet Explorer 6 - 7:
  • C:\Users\<username>\Local Settings\History\History.IE5
• Internet Explorer 8 - 9:
  • C:\Users\<username>\AppData\Local\Microsoft\Windows\History\History.IE5
• Internet Explorer 10 - 11:
  • C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat

Notes:

• Stored in index.dat as: file:///C:/directory/filename.ext.
• Does not mean file was opened in browser.

Analysis: The versions of Internet Explorer that you are most likely to encounter, IE 10 - 11, store their browser information inside of an ESE database. Unfortunately, the database isn't structured in a way that makes it easy to manually analyze with a tool like Nirsoft's ESEDatabaseView. Instead I found it simplier to rely on another Nirsoft utility: BrowsingHistoryView to automatically parse the data found within WebCacheV01.dat.

We can use BrowsingHistoryView to analyze browsing artifacts from multiple web browsers at once to simplify our analysis. Launch BrowsingHistoryView --> Configure the length of your query --> Select Load history from the specified history files --> Select the ellipses button to open a new dialog box --> Specify the file locations of the databases you would to analyze. For our use case make sure to reference WebCacheV*.dat.



You can tell the difference between a website that was visited by a Web Broswer and file that was viewed in Windows Explorer by the prefix appended to the URL. Files viewed in Windows Explorer will have a prefix of file:///.