Legacy Edge and Internet Explorer store browsing history, cached content, cookies, and download records in a single Extensible Storage Engine (ESE) database — WebCacheV01.dat. This monolithic artifact survives browser history clearing, contains URL access timestamps with second-level precision, and records web activity from Windows system components that use WinINet/WinHTTP.
What Is WebCacheV01.dat?
WebCacheV01.dat is an ESE database used by Internet Explorer 10+, Legacy Edge (EdgeHTML), and Windows system components to store web cache metadata, browsing history, cookies, and download records. It uses the same database engine as Active Directory (ntds.dit), SRUM (SRUM.db), and Exchange Server. The database is locked by taskhostw.exe on a live system.
Unlike modern Chromium-based Edge (which uses Chrome-style SQLite databases), the legacy web cache stores everything in a single ESE database with multiple container tables. Each container has a ContainerId mapping to a specific data type. The database also stores cache entries for Windows components that use WinINet or WinHTTP: Windows Update, Office activation, Cortana, and Store apps all write entries, making it a surprisingly broad artifact.
WebCacheV01.dat records data from IE, Legacy Edge, AND Windows system components that use WinINet/WinHTTP. Entries may reveal Windows Update checks, Office activation calls, and Store app downloads — even if the user never opened a browser.
Location & Format
| File | Path | Notes |
|---|---|---|
| WebCacheV01.dat | C:\Users\{user}\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat | Primary ESE database; locked by taskhostw.exe |
| Transaction logs | V01*.log in same directory | ESE transaction logs; may contain uncommitted data |
| Modern Edge | AppData\Local\Microsoft\Edge\User Data\Default\History | Chromium Edge uses SQLite; completely separate |
Container Structure
| Container | Content | Key Columns |
|---|---|---|
| History | URLs with access counts and timestamps | Url, AccessCount, AccessedTime, ModifiedTime |
| Content | Cached web content metadata | Url, Filename, FileSize, AccessedTime |
| Cookies | Cookie entries with domain and expiry | Url, CookieName, AccessedTime |
| iedownload | Download history | Url, Filename, AccessedTime |
| MSHist### | Daily history partitions | Date range encoded in container name |
Timestamps are Windows FILETIME (100-nanosecond intervals since January 1, 1601 UTC). The MSHist container names encode date ranges as MSHist01YYYYMMDDYYYYMMDD, making it easy to identify which partition contains relevant data.
What It Reveals
- Complete IE/Legacy Edge browsing history — URLs, access counts, and timestamps for every page visited.
- Cached content metadata — What files were cached, their sizes, and last access times.
- Cookie data — Domain, name, and sometimes value of cookies set by visited sites.
- Download records — URLs of downloaded files with destination paths and timestamps.
- System-level web requests — Windows Update, Office, Store, Cortana network activity.
- InPrivate remnants — Some entries persist after InPrivate sessions in certain IE versions.
- Cleared history data — ESE free pages may retain deleted records.
- Typed URLs — The
Visited:prefix distinguishes typed from clicked navigation.
Forensic Use Cases
1. Corporate Policy Violation
An employee uses IE to access personal webmail to exfiltrate documents as attachments. WebCacheV01.dat records every visit to the webmail domain with exact timestamps. The iedownload container may show files downloaded from the corporate intranet immediately before the webmail visits.
2. Malware Delivery Reconstruction
A drive-by download attack delivered malware through a compromised website. WebCacheV01.dat preserves the full URL chain: the initial page, the injected iframe, the exploit kit landing page, and the payload download URL, each with an independent timestamp.
3. Legacy System Investigation
Many enterprise environments still run IE11 for legacy intranet applications. WebCacheV01.dat is often the only browser artifact available on these systems, making it critical for investigations involving older infrastructure.
4. Windows Component Activity
Beyond browser usage, WebCacheV01.dat reveals when Windows Update checked for patches, when Office made activation calls, and when Store apps were downloaded — establishing whether the system was patched at the time of compromise.
5. History Recovery After Clearing
The user clears browsing history through IE settings. The ESE database marks records as deleted but does not overwrite pages. ESE-aware recovery tools can extract deleted entries from free pages.
Acquisition Methods
WebCacheV01.dat is locked by taskhostw.exe on a live system. Use VSS, KAPE, or raw-disk copy. Always collect V01*.log transaction logs. Run esentutl /r V01 /d before parsing to replay uncommitted transactions.
:: Using KAPE kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target WebCache :: Using VSS to bypass file lock vssadmin create shadow /for=C: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\jdoe\AppData\Local\Microsoft\Windows\WebCache\* C:\Evidence\WebCache\ :: Repair dirty database before parsing esentutl /r V01 /d /l C:\Evidence\WebCache\ /s C:\Evidence\WebCache\
Parsing Tools & Analysis
| Tool | Author | License | Notes |
|---|---|---|---|
| ESEDatabaseView | NirSoft | Freeware | GUI ESE viewer; browse containers and export to CSV/HTML |
| libesedb | Joachim Metz | Open source | Linux-native; esedbexport extracts all tables to CSV |
| BrowsingHistoryView | NirSoft | Freeware | Parses history containers from WebCacheV01.dat |
| Hindsight | Obsidian Forensics | Open source | Multi-browser parser with WebCache support |
| X-Ways Forensics | X-Ways | Commercial | Native ESE parsing with WebCache analysis |
Retention & Persistence
| Property | Details |
|---|---|
| History retention | Default 20 days for IE; configurable via Group Policy |
| Cache retention | Space-limited; oldest entries evicted when size exceeded |
| Survives history clearing | Partially — ESE free pages may retain deleted records |
| Survives reboot | Yes — on-disk ESE database |
| Modern Edge coexistence | WebCacheV01.dat persists alongside Chromium Edge data |
Version Differences
| Browser | Database | Format | Notes |
|---|---|---|---|
| IE 10+ | WebCacheV01.dat | ESE | Full history, cache, cookies, downloads |
| IE 9 and earlier | index.dat | Binary | Legacy; separate file per content type |
| Legacy Edge | WebCacheV01.dat | ESE | Shares database with IE |
| Chromium Edge | History, Cookies | SQLite | Chrome-style; completely separate |
Anti-Forensics Resilience
| Action | Effect | Recovery |
|---|---|---|
| Clear browsing history | Marks records as deleted in ESE | Free-page carving may recover entries |
| CCleaner | Clears containers; may compact database | Limited if compacted; disk-level carving possible |
| InPrivate browsing | Some entries may leak in certain IE versions | Check containers for InPrivate remnants |
| Manual deletion | Requires stopping taskhostw.exe | File carving; $MFT entry persists |
MITRE ATT&CK Detection Mapping
| Technique | Name | WebCache Evidence |
|---|---|---|
T1071.001 T1071.001 | Web Protocols | History for C2 panel or webshell URLs |
T1189 T1189 | Drive-by Compromise | URL chain through exploit kit pages |
T1567 T1567 | Exfiltration Over Web Service | History for cloud storage upload pages |
T1070.003 T1070.003 | Clear Command History | Cleared history recoverable from free pages |
Related Artifacts & Cross-References
| Artifact | Relationship | Cross-Correlation Value |
|---|---|---|
| Chromium Edge History | Modern Edge data alongside legacy WebCache | Both may contain data on Win10/11 |
| SRUM.db | Browser network transfer volumes | Correlates browsing with network usage |
| DNS Cache | Resolved domains for visited URLs | Confirms activity if history cleared |
| Typed URLs Registry | NTUSER.DAT\Software\Microsoft\IE\TypedURLs | Independent record of typed URLs |
| Proxy/Firewall Logs | Network-level connections | Independent confirmation with timestamps |
References
- NirSoft, “ESEDatabaseView” — nirsoft.net
- Joachim Metz, “libesedb” — github.com/libyal/libesedb
- SANS Institute, “IE and Edge Forensics” — sans.org
- Obsidian Forensics, “Hindsight” — github.com
- Microsoft, “ESE Database Engine” — learn.microsoft.com
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in ESE database analysis, browser forensics, and web activity reconstruction.
mjolnirsecurity.com — 24/7: +1 833 403 5875