ie-downloads
Parses the WebCacheV01.dat ESE (Extensible Storage Engine) database file used by Internet Explorer and queries the file download history. Extracts download URLs and file paths from download records stored in the iedownload container.
Command properties
| Property | Value |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zippath=STR- Path to the ZIP file containing the
WebCacheV01.datfile. Use this when querying the ESE database file directly from inside a ZIP archive. zipcharset=STR- Character set for ZIP file entries. (Default:
utf-8)
Target
FILE_PATH- Path to the Internet Explorer
WebCacheV01.datfile to query. You can use wildcards (*) to specify multiple files.
Output fields
| Field | Type | Description |
|---|---|---|
_time | timestamp | Last access time |
container_id | long | Container identifier |
entry_id | long | Entry identifier |
cache_id | long | Cache identifier |
type | string | Record type |
visit_count | long | Access count |
url | string | Download URL |
file_path | string | Local path of the downloaded file |
file_name | string | Downloaded file name |
file_size | long | Downloaded file size (bytes) |
file_ext | string | Downloaded file extension |
redirect_url | string | Redirect URL |
sync_time | timestamp | Sync time |
creation_time | timestamp | Creation time |
expiry_time | timestamp | Expiry time |
modified_time | timestamp | Modification time |
post_check_time | timestamp | Post-check time |
response_headers | binary | HTTP response headers |
group | string | Group |
extra_data | binary | Extra data |
url_hash | long | URL hash value |
secure_dir | long | Secure directory identifier |
Error codes
Parsing errors
N/A
Runtime errors
| Error code | Message | Description | Action on error |
|---|---|---|---|
| - | cannot load ESE database: PATH | The ESE database file could not be read | Aborts query execution |
Description
The ie-downloads command parses the WebCacheV01.dat ESE database file where Internet Explorer stores download history. It first identifies containers of type iedownload in the Containers table, then queries records from those containers.
The download URL and file path are extracted from the binary data in the response_headers field. The binary data's null-terminated string region is decoded as UTF-16LE; the last line provides the file_path field and the second-to-last line provides the url field. These values replace the URL field from the base ESE record.
Date fields are converted from Windows FILETIME format (100-nanosecond units since January 1, 1601) to UNIX timestamps. If a FILETIME value is 0, the corresponding date field is not assigned.
Examples
-
Query IE download history
ie-downloads /opt/logpresso/evidence/WebCacheV01.datQueries all download history from the
WebCacheV01.datfile at the specified path. -
Filter entries where a file path was identified
ie-downloads /opt/logpresso/evidence/WebCacheV01.dat | search isnotnull(file_path)Filters only download history entries where the file path was identified.
-
Query a WebCacheV01.dat file inside a ZIP archive
ie-downloads zippath=/opt/logpresso/evidence/browser.zip WebCacheV01.datQueries download history from the
WebCacheV01.datfile inside the ZIP archive.