Difference between revisions of "Internet Explorer"

From Forensics Wiki
Jump to: navigation, search
(External Links)
 
(19 intermediate revisions by one user not shown)
Line 4: Line 4:
  
 
== MSIE 4 to 9 ==
 
== MSIE 4 to 9 ==
MSIE 4 to 9 uses the [[Internet Explorer History File Format]] (or MSIE Cache File format). The Cache Files commonly named index.dat are used to store both cache and historical information.
+
MSIE 4 to 9 uses the [[Internet Explorer History File Format]] (or MSIE 4-9 Cache File format). The Cache Files commonly named index.dat are used to store both cache and historical information.
  
 
== MSIE 10 ==
 
== MSIE 10 ==
 
 
<pre>
 
<pre>
 
C:\Users\%USER%\AppData\Local\Microsoft\Windows\WebCache\
 
C:\Users\%USER%\AppData\Local\Microsoft\Windows\WebCache\
 
</pre>
 
</pre>
  
To do: confirm if these files are in the [[Extensible Storage Engine (ESE) Database File (EDB) format]]
+
The WebCacheV01.dat and WebCacheV24.dat files are in the [[Extensible Storage Engine (ESE) Database File (EDB) format]]
 +
 
 +
== Configuration ==
 +
Internet Explorer will apply its setting in the following order, where the lower the order overrides settings in the higer order.
 +
# Settings in Machine policy key
 +
# Settings in User policy key
 +
# Settings in User preference key
 +
# Settings in Machine preference key
 +
 
 +
Machine policy key
 +
<pre>
 +
HKET_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
 +
</pre>
 +
 
 +
Machine preference key
 +
<pre>
 +
HKET_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
 +
</pre>
 +
 
 +
User policy key
 +
<pre>
 +
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
 +
</pre>
 +
 
 +
User preference key
 +
<pre>
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
 +
</pre>
 +
 
 +
=== Security Zones ===
 +
0 - My Computer
 +
 
 +
1 - Local Intranet Zone
 +
 
 +
2 - Trusted Sites Zone
 +
 
 +
3 - Internet Zone
 +
 
 +
4 - Restricted Sites Zone
 +
 
 +
5 - Custom
 +
 
 +
=== WPAD ===
 +
<b>TODO add some text</b>
 +
 
 +
== Artifacts ==
 +
=== Recovery store ===
 +
<b>TODO add some text</b>
 +
 
 +
On Windows Vista and later:
 +
<pre>
 +
C:\Users\%USER%\AppData\Local\Microsoft\Internet Explorer\Recovery
 +
</pre>
 +
 
 +
=== Typed URLs ===
 +
Internet Explorer stores the cached History (or Address box) entries in the following Windows Registry key [http://support.microsoft.com/kb/157729].
 +
<pre>
 +
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
 +
</pre>
  
 
== See Also ==
 
== See Also ==
* [[Internet Explorer History File Format]]
+
* [[Extensible Storage Engine (ESE) Database File (EDB) format]]
 +
* [[Internet Explorer History File Format|Internet Explorer 4-9 Cache File Format]]
  
 
== External Links ==
 
== External Links ==
 
* [http://kb.digital-detective.co.uk/display/NetAnalysis1/Internet+Explorer+Cache Internet Explorer Cache]
 
* [http://kb.digital-detective.co.uk/display/NetAnalysis1/Internet+Explorer+Cache Internet Explorer Cache]
 
* [http://support.microsoft.com/kb/182569 Internet Explorer security zones registry entries for advanced users], by [[Microsoft]]
 
* [http://support.microsoft.com/kb/182569 Internet Explorer security zones registry entries for advanced users], by [[Microsoft]]
 +
* [http://technet.microsoft.com/en-us/library/cc302643.aspx Troubleshooting Automatic Detection], by [[Microsoft]]
 
* [http://www.microsoft.com/en-us/download/details.aspx?id=11575 Windows Virtual PC VHDs for testing websites with different Internet Explorer versions], by [[Microsoft]]
 
* [http://www.microsoft.com/en-us/download/details.aspx?id=11575 Windows Virtual PC VHDs for testing websites with different Internet Explorer versions], by [[Microsoft]]
 +
* [http://tojoswalls.blogspot.ch/2013/05/java-web-vulnerability-mitigation-on.html Java Web Vulnerability Mitigation on Windows], by Tim Johnson, May 23, 2013
 +
 +
=== Recovery store ===
 
* [http://www.swiftforensics.com/2011/09/internet-explorer-recoverystore-aka.html Internet Explorer RecoveryStore (aka Travelog) as evidence of Internet Browsing activity], by [[Yogesh Khatri]], September 29, 2011
 
* [http://www.swiftforensics.com/2011/09/internet-explorer-recoverystore-aka.html Internet Explorer RecoveryStore (aka Travelog) as evidence of Internet Browsing activity], by [[Yogesh Khatri]], September 29, 2011
 +
 +
=== Typed URLS ===
 +
* [http://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/ TypedURLs (Part 1)], by Paul Nichols, March 14, 2011
 +
* [http://crucialsecurityblog.harris.com/2011/03/23/typedurls-part-2/ TypedURLs (Part 2)], by Paul Nichols, March 23, 2011
 +
* [http://randomthoughtsofforensics.blogspot.co.uk/2012/07/trouble-with-typedurlstime.html The Trouble with TypedUrlsTime], by Ken Johnson, July 4, 2012
 +
* [http://sketchymoose.blogspot.ch/2014/02/typedurls-registry-key.html TypedURLs Registry Key], Sketchymoose's Blog, February 18, 2014
 +
 +
=== Internet Explorer 10 ===
 +
* [http://cyberarms.wordpress.com/2012/08/21/windows-8-forensics-internet-cache-history/ Windows 8 Forensics: Internet History Cache], by Ethan Fleisher, August 21, 2012
 +
* [http://hh.diva-portal.org/smash/get/diva2:635743/FULLTEXT02.pdf Forensic Analysis of ESE databases in Internet Explorer 10], by Bonnie Malmström & Philip Teveldal, June 2013
  
 
[[Category:Applications]]
 
[[Category:Applications]]
 
[[Category:Web Browsers]]
 
[[Category:Web Browsers]]

Latest revision as of 00:15, 11 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Microsoft Internet Explorer (MSIE) is the default Web Browser included with Microsoft Windows.

Contents

MSIE 4 to 9

MSIE 4 to 9 uses the Internet Explorer History File Format (or MSIE 4-9 Cache File format). The Cache Files commonly named index.dat are used to store both cache and historical information.

MSIE 10

C:\Users\%USER%\AppData\Local\Microsoft\Windows\WebCache\

The WebCacheV01.dat and WebCacheV24.dat files are in the Extensible Storage Engine (ESE) Database File (EDB) format

Configuration

Internet Explorer will apply its setting in the following order, where the lower the order overrides settings in the higer order.

  1. Settings in Machine policy key
  2. Settings in User policy key
  3. Settings in User preference key
  4. Settings in Machine preference key

Machine policy key

HKET_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

Machine preference key

HKET_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

User policy key

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

User preference key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Security Zones

0 - My Computer

1 - Local Intranet Zone

2 - Trusted Sites Zone

3 - Internet Zone

4 - Restricted Sites Zone

5 - Custom

WPAD

TODO add some text

Artifacts

Recovery store

TODO add some text

On Windows Vista and later:

C:\Users\%USER%\AppData\Local\Microsoft\Internet Explorer\Recovery

Typed URLs

Internet Explorer stores the cached History (or Address box) entries in the following Windows Registry key [1].

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

See Also

External Links

Recovery store

Typed URLS

Internet Explorer 10