IE 10,11,Edge Browsing History
Overview
Evidence: IE 10,11,Edge Browsing History Description: Collect visited URLs from Internet Explorer and Edge Category: Applications Platform: windows Short Name: ehst Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes
Background
Internet Explorer 10-11 and Edge Legacy store browsing history in ESE database files (WebCacheV*.dat). Edge Chromium uses SQLite databases like Chrome.
These databases contain comprehensive browsing history including URLs, visit timestamps, and access counts.
Data Collected
This collector gathers structured data about ie 10,11,edge browsing history.
IE 10,11,Edge Browsing History Data
AccessTime
Access Time
2023-10-15 14:30:25+03:00
AccessCount
Access Count
123
URL
URL
Example value
Browser
Browser
Example value
Title
Title
Example value
VisitDuration
Visit Duration
Example value
Referrer
Referrer
Example value
TypedCount
Typed Count
123
IsHidden
Is Hidden
true
TransitionType
Transition Type
Example value
VisitID
Visit ID
123
TransitionQualifiers
Transition Qualifiers
Example value
User
User
Example value
Profile
Profile
Example value
HistoryFilePath
History File Path
Example value
Collection Method
This collector processes two database formats:
IE 10-11 & Edge Legacy (ESE):
Location:
Users\*\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.datParses using libesedb library
Extracts URLs from ESE database tables
Edge Chromium (SQLite):
Location:
Users\*\AppData\Local\Microsoft\Edge\User Data\*\HistoryQueries SQLite database
SQL:
SELECT urls.url, urls.visit_count, datetime(...) FROM urls, visits WHERE urls.id = visits.url
Forensic Value
Browser history is essential for investigating web-based attacks and user activity. Investigators use this data to reconstruct web browsing timelines, identify malicious domains visited, detect phishing site visits, correlate with malware downloads, track data exfiltration websites, and establish user intent and awareness.
Last updated
Was this helpful?