ie-visits
Parses the WebCacheV01.dat ESE (Extensible Storage Engine) database file used by Internet Explorer and queries the website visit history. Extracts usernames, URLs, and access counts from visit records stored in the History and MSHist containers.
Command properties
| Property | Value |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zippath=STR- Path to the ZIP file containing the
WebCacheV01.datfile. Use this when querying the ESE database file directly from inside a ZIP archive. zipcharset=STR- Character set for ZIP file entries. (Default:
utf-8)
Target
FILE_PATH- Path to the Internet Explorer
WebCacheV01.datfile to query. You can use wildcards (*) to specify multiple files.
Output fields
| Field | Type | Description |
|---|---|---|
_time | timestamp | Last access time |
container_id | long | Container identifier |
entry_id | long | Entry identifier |
cache_id | long | Cache identifier |
type | string | Record type |
visit_count | long | Access count |
user | string | Username of the visitor |
url | string | Visited URL |
file_path | string | Local path of the cached file |
file_name | string | Cached file name |
file_size | long | Cached file size (bytes) |
file_ext | string | Cached file extension |
redirect_url | string | Redirect URL |
sync_time | timestamp | Sync time |
creation_time | timestamp | Creation time |
expiry_time | timestamp | Expiry time |
modified_time | timestamp | Modification time |
post_check_time | timestamp | Post-check time |
request_headers | binary | HTTP request headers |
response_headers | binary | HTTP response headers |
group | string | Group |
extra_data | binary | Extra data |
url_hash | long | URL hash value |
secure_dir | long | Secure directory identifier |
Error codes
Parsing errors
N/A
Runtime errors
| Error code | Message | Description | Action on error |
|---|---|---|---|
| - | cannot load ESE database: PATH | The ESE database file could not be read | Aborts query execution |
Description
The ie-visits command parses the WebCacheV01.dat ESE database file where Internet Explorer stores visit history. It first identifies containers in the Containers table that are of type History or whose name starts with MSHist, then queries records from those containers.
Usernames and actual URLs are separated from the original URL field. When the URL has the format type: username@host, the string before @ is assigned to the user field and the string after @ to the url field. If there is no @, the user field is set to null.
Date fields are converted from Windows FILETIME format (100-nanosecond units since January 1, 1601) to UNIX timestamps. If a FILETIME value is 0, the corresponding date field is not assigned.
Examples
-
Query IE visit history
ie-visits /opt/logpresso/evidence/WebCacheV01.datQueries all visit history from the
WebCacheV01.datfile at the specified path. -
Retrieve the top 10 entries by visit count
ie-visits /opt/logpresso/evidence/WebCacheV01.dat | sort -visit_count | limit 10Retrieves the top 10 visit history entries sorted by access count in descending order.
-
Query a WebCacheV01.dat file inside a ZIP archive
ie-visits zippath=/opt/logpresso/evidence/browser.zip WebCacheV01.datQueries visit history from the
WebCacheV01.datfile inside the ZIP archive.