Internet Explorer file:///

Internet Explorer History databases are pivotal for forensic investigations as they record both local and remote file accesses through network shares. This capability of Internet Explorer to log file access details offers a rich source of evidence about user interactions with files, irrespective of whether Internet Explorer is present on the system. Notably, these databases can capture file access on systems up to and including Windows 11.

Key Insights:

• File Access Tracking Through History Databases:

  • Entries for accessed files are recorded in a specific format, using the file:///C:// notation. This format highlights the method of access but does not confirm that the file was opened within the browser itself. Instead, it indicates that Internet Explorer was used to navigate to or attempt access to the file location.

• Location of Internet Explorer History Files:

  • IE6-7:

    • %USERPROFILE%\Local Settings\History\History.IE5

  • IE8-9:

    • %USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5

  • IE10-11 and Windows 10+:

    • %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat

Deeper Dive:

File Access Logging Mechanism:

• Internet Explorer's method of recording file access into history databases is a nuanced process. While the file:///C:// format is used to denote file accesses, it's essential to understand that this does not automatically mean the file was viewed or edited using Internet Explorer. The presence of such entries in the history database signifies the navigation to or interaction with file paths, which can be initiated from the Internet Explorer address bar or through file explorations initiated within the browser.

Implications for Forensic Analysis:

• The persistence of Internet Explorer history data on systems, even those where the application is no longer available, underscores the importance of this artifact for digital forensic investigations. It provides a backtrack to user activities regarding file access, which can be crucial in cases where understanding access to specific files or directories is necessary for the investigation.

Analyzing The Artifact:

• Accessing Internet Explorer History Files: To analyze these artifacts, forensic analysts can use specialized tools designed to parse the contents of Internet Explorer history databases. This includes understanding the structure of WebCacheV*.dat files for newer versions of Windows, where traditional history files are replaced by a more complex database format.

• Interpretation of Entries: Analyzing the file:///C:// entries requires a careful approach. Investigators need to differentiate between mere navigations within the browser and actual file interactions. The context of these entries, combined with other artifacts such as timestamps and user profiles, can provide a comprehensive view of the user's actions related to file access.

Tools for Analysis:

• IEHistoryView: For older versions of Internet Explorer (IE6-9), tools like IEHistoryView can simplify the process of viewing and analyzing browser history entries.

• ESEDatabaseView: For Internet Explorer 10-11 and Windows 10+ systems, ESEDatabaseView can be used to access and analyze the WebCacheV*.dat files, offering insights into the structured storage of history data.