Microsoft Edge Forensics

With Windows 10 comes Microsoft Edge – the replacement for the much scorned Internet Explorer. Many articles are saying that Edge is betterfaster and safer and compares to the likes of Google Chrome. But how does it store the user’s web history?

In the good old days IE stored everything in index.dat files. Chrome & Firefox moved away from flat files like this and went for SQL databases, making them much easier to analyse and interrogate the data. Microsoft has stuck to the good old .dat file, but this time naming it “WebCacheV1.dat” instead. You can find this at %LocalAppData%\Microsoft\Windows\WebCache\, which for most default users will be at C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache.

A free and easy-to-use tool to have a look at the data in the dat file is IECacheView. This automatically points at that directory and spits out everything web related. It even works when the file is in use, which when doing this on your own profile, would be all the time. You will find that the tool is quite noisy, there is a lot of stuff there even if you don’t use Edge much. The best way is to filter out all the rubbish by going to Options and unticking most of the content types apart from “Show Text\HTML files”. This still gives you CSS, JavaScript and XML, but you can now actually see the URLs you’ve been to!

For the in depth forensics, I recommend this article which goes through the mechanics of the WebCacheV1.dat file. There are a couple of new forensic elements which are the result of being coupled with Windows 10, e.g. Cortana, the Windows ‘personal’ Search assistant. Cortana searches, and even suggestions by Cortana, are stored (that is if Cortana is turned on; which for the security conscience like me, is definitely not!). Note that the article mentions that their research was done just before Windows 10 came out, and so there may be more features not explored in the article.

In summary, the back end of Edge is very similar to IE, and looks like an updated version of IE with a new name and some new Windows 10 features.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s