With Windows 10 comes Microsoft Edge – the replacement for the much scorned Internet Explorer. Many articles are saying that Edge is better, faster and safer and compares to the likes of Google Chrome. But how does it store the user’s web history?
In the good old days IE stored everything in index.dat files. Chrome & Firefox moved away from flat files like this and went for SQL databases, making them much easier to analyse and interrogate the data. Microsoft has stuck to the good old .dat file, but this time naming it “WebCacheV1.dat” instead. You can find this at %LocalAppData%\Microsoft\Windows\WebCache\, which for most default users will be at C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache.
For the in depth forensics, I recommend this article which goes through the mechanics of the WebCacheV1.dat file. There are a couple of new forensic elements which are the result of being coupled with Windows 10, e.g. Cortana, the Windows ‘personal’ Search assistant. Cortana searches, and even suggestions by Cortana, are stored (that is if Cortana is turned on; which for the security conscience like me, is definitely not!). Note that the article mentions that their research was done just before Windows 10 came out, and so there may be more features not explored in the article.
In summary, the back end of Edge is very similar to IE, and looks like an updated version of IE with a new name and some new Windows 10 features.