Transcript of IE 10 History (old format, new system)
IE 10 History (old format, new system)
What is ESE?
Extensible Storage Engine (ESE), also known as JET Blue, is an ISAM (Indexed Sequential Access Method) data storage technology from Microsoft.
Why should I care?
Problem
All IE versions from 4.0 - 9.0 used the index.dat binary format for internet history
IE10 changed that and now uses the JetAPI which builds upon the ESE database format
There are NO current tools to parse this new format, opensource or otherwise last I checked
Dirty Shutdowns
If the database is not shutdown cleanly, which it rarely is due to being locked ALL THE TIME by taskhostex.exe
What to do?
Microsoft's JetApi to the rescue - sort of...
- blatant wiki ripoff definition
This is where IE 10
takes off
According to GetClicky and other site stat counters IE makes up about 30% of all browser use and holding. The steady drop off in 9 and below versus the rise in 10+ is why we are interested
Where is the history file ?
C:\Users\\AppData\Local\Microsoft\WebCache\WebCachev1.0.dat
Now what?
Enumerate Process handles to find who has the db opened, then kill it:
Process Inject to Force Handle Closing:
all result in a dirty db
Options with the new file
Esentutl - Microsoft exe to restore/manage ESE dbs
usage: esentutl /p
OR!!
libesedb - brought to you by, some kind folks here:
https://code.google.com/p/libesedb/
Since esentutl's restore/recovery feature has popups and warnings about data loss, I think the forensics professional in me would rather use a parsing lib than use the M$ binary
VSS API
Volume Shadow (copy) Service allows you to take a snapshot of the file in question and then copy it over to a location of your choosing (including to memory locations)
Still results in a dirty db, but using a parser lib, I'm largely fine with this
How do I use this thing?
Compile it as a static lib, and include it in your C/C++ IR tool - traditional dev way
Add as resource and roll your own PE loader - the more awesomer way (x64 still needs some work)
What is ESE?
Extensible Storage Engine (ESE), also known as JET Blue, is an ISAM (Indexed Sequential Access Method) data storage technology from Microsoft.
Why should I care?
Problem
All IE versions from 4.0 - 9.0 used the index.dat binary format for internet history
IE10 changed that and now uses the JetAPI which builds upon the ESE database format
There are NO current tools to parse this new format, opensource or otherwise last I checked
Dirty Shutdowns
If the database is not shutdown cleanly, which it rarely is due to being locked ALL THE TIME by taskhostex.exe
What to do?
Microsoft's JetApi to the rescue - sort of...
- blatant wiki ripoff definition
This is where IE 10
takes off
According to GetClicky and other site stat counters IE makes up about 30% of all browser use and holding. The steady drop off in 9 and below versus the rise in 10+ is why we are interested
Where is the history file ?
C:\Users\
Now what?
Enumerate Process handles to find who has the db opened, then kill it:
Process Inject to Force Handle Closing:
all result in a dirty db
Options with the new file
Esentutl - Microsoft exe to restore/manage ESE dbs
usage: esentutl /p
OR!!
libesedb - brought to you by, some kind folks here:
https://code.google.com/p/libesedb/
Since esentutl's restore/recovery feature has popups and warnings about data loss, I think the forensics professional in me would rather use a parsing lib than use the M$ binary
VSS API
Volume Shadow (copy) Service allows you to take a snapshot of the file in question and then copy it over to a location of your choosing (including to memory locations)
Still results in a dirty db, but using a parser lib, I'm largely fine with this
How do I use this thing?
Compile it as a static lib, and include it in your C/C++ IR tool - traditional dev way
Add as resource and roll your own PE loader - the more awesomer way (x64 still needs some work)
No comments:
Post a Comment