ie-cookies
Parses the WebCacheV01.dat ESE (Extensible Storage Engine) database file used by Internet Explorer and queries the cookie history. Extracts usernames, URLs, and access times from cookie records stored in the Cookies container.
Command properties
| Property | Value |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zippath=STR- Path to the ZIP file containing the
WebCacheV01.datfile. Use this when querying the ESE database file directly from inside a ZIP archive. zipcharset=STR- Character set for ZIP file entries. (Default:
utf-8)
Target
FILE_PATH- Path to the Internet Explorer
WebCacheV01.datfile to query. You can use wildcards (*) to specify multiple files.
Output fields
| Field | Type | Description |
|---|---|---|
_time | timestamp | Last access time |
container_id | long | Container identifier |
entry_id | long | Entry identifier |
cache_id | long | Cache identifier |
type | string | Record type |
visit_count | long | Access count |
user | string | Username that owns the cookie |
url | string | Cookie target URL |
file_path | string | Local path of the cookie file |
file_name | string | Cookie file name |
file_size | long | Cookie file size (bytes) |
file_ext | string | Cookie file extension |
redirect_url | string | Redirect URL |
sync_time | timestamp | Sync time |
creation_time | timestamp | Creation time |
expiry_time | timestamp | Expiry time |
modified_time | timestamp | Modification time |
post_check_time | timestamp | Post-check time |
request_headers | binary | HTTP request headers |
response_headers | binary | HTTP response headers |
group | string | Group |
extra_data | binary | Extra data |
url_hash | long | URL hash value |
secure_dir | long | Secure directory identifier |
Error codes
Parsing errors
N/A
Runtime errors
| Error code | Message | Description | Action on error |
|---|---|---|---|
| - | cannot load ESE database: PATH | The ESE database file could not be read | Aborts query execution |
Description
The ie-cookies command parses the WebCacheV01.dat ESE database file where Internet Explorer stores cookie information. It first identifies containers of type Cookies in the Containers table, then queries records from those containers.
Usernames and actual URLs are separated from the original URL field. When the URL has the format cookiename:username@host, the string before @ is assigned to the user field and the string after @ to the url field. If there is no @, the user field is set to null.
Date fields are converted from Windows FILETIME format (100-nanosecond units since January 1, 1601) to UNIX timestamps. If a FILETIME value is 0, the corresponding date field is not assigned.
Examples
-
Query IE cookie history
ie-cookies /opt/logpresso/evidence/WebCacheV01.datQueries all cookie history from the
WebCacheV01.datfile at the specified path. -
Filter cookie history for identified users
ie-cookies /opt/logpresso/evidence/WebCacheV01.dat | search isnotnull(user)Filters only cookie history entries where a username was identified.
-
Query a WebCacheV01.dat file inside a ZIP archive
ie-cookies zippath=/opt/logpresso/evidence/browser.zip WebCacheV01.datQueries cookie history from the
WebCacheV01.datfile inside the ZIP archive.