IE 10-11 & Edge Browsing History

Overview

Evidence: IE 10 11 Edge Browsing History Description: Collect Visited URLs from Internet Explorer and Edge Category: Browsing History Platform: Windows Short Name: ehst Is Parsed: Yes - ESE and SQLite databases parsed Sent to Investigation Hub: Yes Collect File(s): No

Background

Internet Explorer 10-11 and Edge Legacy store browsing history in ESE database files (WebCacheV*.dat). Edge Chromium uses SQLite databases like Chrome.

These databases contain comprehensive browsing history including URLs, visit timestamps, and access counts.

Data Collected

Collection Method

This collector processes two database formats:

IE 10-11 & Edge Legacy (ESE):

• Location: Users\*\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat

• Parses using libesedb library

• Extracts URLs from ESE database tables

Edge Chromium (SQLite):

• Location: Users\*\AppData\Local\Microsoft\Edge\User Data\*\History

• Queries SQLite database

• SQL: SELECT urls.url, urls.visit_count, datetime(...) FROM urls, visits WHERE urls.id = visits.url

Usage

Browser history is essential for investigating web-based attacks and user activity. Investigators use this data to reconstruct web browsing timelines, identify malicious domains visited, detect phishing site visits, correlate with malware downloads, track data exfiltration websites, and establish user intent and awareness.

Known Limitations

• Private/InPrivate browsing not recorded

• History can be cleared by users

• Database may be locked by browser

• ESE databases require recovery if corrupted

Notes

Edge Chromium uses the same database format as Google Chrome. The WebCache databases can be finicky and may require ESE database repair (esentutl /r) before parsing.