Following on from my recent Cortana blog I have decided to highlight another Windows 10 component, the new Microsoft Edge web browser.

Microsoft Edge, previously known as “Spartan” is an all new “universal” Microsoft application, which encompasses a new rendering engine. As such I expected that the actual forensic artefacts would be in a new or different format from Internet Explorer (IE) version 11. This was not to be the case.

Advertisement

Since IE10 browsing history records are no longer stored in Index.DAT files, but are instead stored in an Extensible Storage Engine (ESE) database format, and Microsft Edge is no different. In fact most of the Edge artefacts are stored in ESE databases.

Edge Artefacts

The Edge settings are stored in the following ESE databse:

  • \Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxx\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\xxxxx\DBStore\spartan.edb

Note the naming convention of this database - it seems strange that Microsoft didn’t bother to rename this file when they renamed the browser itself. In any case this database stores the following tables:

▫ FileCleanup

▫ Folder

▫ FolderStash

▫ MSysLocales

▫ MSysObjects

▫ MSysObjectsShadow

▫ MSysObjids

▫ ReadingList

▫ RowId

The Edge cached files stored in the following directory:

  • \Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\#!001\MicrosoftEdge\Cache\

The Edge last active browsing session is stored in the following directory:

  • \Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\MicrosoftEdge\User\Default\Recovery\Active\

Being Microsoft there is ofcourse a legacy version of IE (version 11) included in Windows 10 (just in case you don’t like the new browser) and interestingly enough both Edge and IE history records are stored in the same database:

  • \Users\user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

This ESE database can be interpreted by EseDbViewer, ESEDatabaseView or Joachim Metz excellent esedbexport tool. Just be aware that depending on how the computer was shut down this database might be a “dirty” dismount, in which case you may need to use esentutl.exe (from the host OS) before parsing the database correctly.

Advertisement

As well as the history records this database also stores Cookies, HTTP POST request header packets (in hex) and downloads.

This database contains contains the following tables:

▫ AppCache_n

▫ AppCacheEntry_n

▫ Container_n

▫ DependencyEntry_n

▫ HstsEntry_n

▫ LeakFiles

▫ MSysLocales

▫ MSysObjects

▫ MSysObjectsShadow

▫ MSysObjids

▫ Partitions

(example HTTP header in hex taken from WebCacheV01.dat ESE database)

The Container_n tables contain the most relevant information; web sites visited, cookie details, cache file entries. The dates and times associated with the entries are in these tables are again in Google Chrome Value format (same as Cortana) in the timezone of the local machine; the values can be decoded via DCode (but you will be required to omit the last digit). Otherwise esedbexport tool will decode these timestamps for you if parsed using this tool.

EntryIdContainerIdCacheIdUrlHashSecureDirectoryFileSizeTypeFlagsAccessCountSyncTimeCreationTimeExpiryTimeModifiedTimeAccessedTimePostCheckTimeSyncCountExemptionDeltaUrlFilename
201220284570276979030000119413113781Sep 29, 2015 10:12:29.116660700Sep 29, 2015 10:12:29.098233300Sep 29, 2015 09:12:29.098233300Jan 01, 1601 00:00:00.000000000Sep 29, 2015 10:12:29.116660700000http://4236808.fls.doubleclick.net/activityi;src=…activityi;src=4236808;type=invmedia;cat=p0e6wcb6;ord=1126835293[1].htm

It is important to note that if a user has logged into the computer with a Microsoft Account, and then logged into another computer with the same Microsoft Account, all of their browsing history is synched across all devices. That is, every website visited in Microsoft Edge will be detailed in this ESE database, along with the date the website was visited.

What this means from a digital forensics perspective is that there is no definitive way to know if the website entry in the browser history was visited on a particular computer. This can have major implications when conducted internet investigations where pinning a user to a particular computer at a particular time is imperative.

InPrivate Browsing (aka PrivacIE):

Microsoft introduced InPrivate Browsing to protect users from snooping on other users browsing history, for example when you wanted to log into Ashley Madison, prior to their breach of course! In Microsoft’s own words,

Advertisement

“InPrivate Browsing prevents Internet Explorer from storing data about your browsing session. This helps prevent anyone else who might be using your computer from seeing where you visited and what you looked at on the web.”

This is similar to Incognito mode in Chrome and Private mode in Firefox. InPrivate Browsing was introduced in Internet Explorer version 8, and is also included in Microsoft Edge.

Advertisement

“When you use Microsoft Edge in InPrivate mode, your browsing information, such as cookies, history, or temporary files, aren’t saved on your device after your browsing session has ended. Microsoft Edge clears all temporary data from your device.”

So just how private is InPrivate Browsing mode in Microsoft Edge? Not as private as Microsoft would lead you to believe. Through my research I have discovered that the websites visited while running in PrivacIE mode are still stored in the same IE/Edge WebCacheV01.dat ESE database.

Advertisement

In the Container_n table the website history records are stored. In this table there is a field called “Flag”, if the website was visited in PrivacIE mode there the value of this field will be “8”.

If the last browsing session open was in PrivacIE mode then these records will also appear in the Last Browsing Session database stored in

  • \Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\MicrosoftEdge\User\Default\Recovery\Active\{browsing-session-ID}.dat

This information is generally used to recover any sessions which are closed unexpectedly, but for PrivacIE Microsoft Edge doesn’t give you the option.

Advertisement

The ESE log files often provide information from the PrivacIE browsing session too, these logs files can be located in the following directory:

  • \Users\user_name\AppData\Local\Microsoft\Windows\WebCache\

Actual cached files related to the websites visited through PrivacIE mode are also stored to disk and can be located in the usual cache directories:

  • \Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\#!001\MicrosoftEdge\Cache\xxxx\

You can identify these PrivacIE cached entries by correlating them with the records stored in the Container_n table detailed above via the “8” flag value.

Advertisement

So what does this all tell you about PrivacIE mode? Well it isn’t that private after all. If you are hiding from a spouse/partner then it may suffice but if you are trying to cover your tracks you’d better guess again, any good forensicator will be able to identify and recover your browsing history in a matter of minutes.


RESOURCES:

  1. esedbtools - https://github.com/libyal/libesed…
  2. ESEDatabaseViewer - http://www.nirsoft.net/utils/ese_data…
  3. DCode - http://www.digital-detective.net/digital-forensic-software/free-tools/

Any questions get in touch.

Don’t forget to connect on LinkedIn & Twitter.