ie-cache-files
Parses the WebCacheV01.dat ESE (Extensible Storage Engine) database file used by Internet Explorer and queries the cache file history. Extracts URL, file information, and HTTP request/response headers from cache records stored in the Content container.
Command properties
| Property | Value |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zippath=STR- Path to the ZIP file containing the
WebCacheV01.datfile. Use this when querying the ESE database file directly from inside a ZIP archive. zipcharset=STR- Character set for ZIP file entries. (Default:
utf-8)
Target
FILE_PATH- Path to the Internet Explorer
WebCacheV01.datfile to query. You can use wildcards (*) to specify multiple files.
Output fields
| Field | Type | Description |
|---|---|---|
_time | timestamp | Last access time |
container_id | long | Container identifier |
entry_id | long | Entry identifier |
cache_id | long | Cache identifier |
type | string | Record type |
visit_count | long | Access count |
url | string | Cached URL |
file_path | string | Local path of the cached file |
file_name | string | Cached file name |
file_size | long | Cached file size (bytes) |
file_ext | string | Cached file extension |
redirect_url | string | Redirect URL |
sync_time | timestamp | Sync time |
creation_time | timestamp | Creation time |
expiry_time | timestamp | Expiry time |
modified_time | timestamp | Modification time |
post_check_time | timestamp | Post-check time |
request_headers | string | HTTP request headers |
response_headers | string | HTTP response headers |
group | string | Group |
extra_data | binary | Extra data |
url_hash | long | URL hash value |
secure_dir | long | Secure directory identifier |
Error codes
Parsing errors
N/A
Runtime errors
| Error code | Message | Description | Action on error |
|---|---|---|---|
| - | cannot load ESE database: PATH | The ESE database file could not be read | Aborts query execution |
Description
The ie-cache-files command parses the WebCacheV01.dat ESE database file where Internet Explorer stores web cache information. It first identifies containers of type Content in the Containers table, then queries records from those containers.
Date fields are converted from Windows FILETIME format (100-nanosecond units since January 1, 1601) to UNIX timestamps. If a FILETIME value is 0, the corresponding date field is not assigned.
The request_headers and response_headers fields are converted from binary data to UTF-8 strings.
Examples
-
Query IE cache file history
ie-cache-files /opt/logpresso/evidence/WebCacheV01.datQueries all cache file history from the
WebCacheV01.datfile at the specified path. -
Filter cache history for a specific domain
ie-cache-files /opt/logpresso/evidence/WebCacheV01.dat | search url == "*example.com*"Filters only entries matching a specific domain from the cache history.
-
Query a WebCacheV01.dat file inside a ZIP archive
ie-cache-files zippath=/opt/logpresso/evidence/browser.zip WebCacheV01.datQueries cache file history from the
WebCacheV01.datfile inside the ZIP archive.