Have just upgraded my Windows Server 2008 R2 XenApp 5.0 servers from IE 9 to IE 10 and noticed that cookies were not working after a logoff. Everything was fine whilst the user was logged on, so cookies were working within that Windows session. But log off Windows and log back on again and any website settings stored in cookies were lost.
The cookies themselves default to the following folder:
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies\Low
(the Low folder is assuming you run IE in Protected mode, which you should)
If you use the AppData(Roaming) Folder Redirection Group Policy setting to redirect the Roaming folder (which you should) then the folder will obviously end up in a folder down the path you specified instead.
The cookies themselves are just .txt files with eight character hexadecimal names, and do get stored in the Cookies folder, but you’ll notice that they’re not read when you log back on to Windows, instead new cookies are created.
This is because as of IE 10 there’s a different format and location for the database that keeps track of which cookie file to use with each website you visit. This file lives here:
%userprofile%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
As you may know, the whole of the AppData\Local folder gets deleted when you log off, if you have a roaming profile.
The workaround to make cookies work is to set a Group Policy Preference to set the following registry value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
to point to a user folder on a file server, possibly a subfolder of the one where you already redirect the AppData(Roaming) to. The folder you specify will be created when the user logs on.
Note that the initial size for the WebCacheV01.dat file is about 33MB, so if you have a lot of users you might want to monitor the space usage on your file server more closely for a while after making the above change.
Also, you shouldn’t end up with all your Temporary Internet Files being redirected as these will stay in the Local part of the profile thanks to the registry value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache
which points specifically to a folder within the %USERPROFILE%\AppData\Local folder structure.
Likewise the Temp folder, %TEMP% environment variable, also references %USERPROFILE% in the registry value:
HKEY_CURRENT_USER\Environment\Temp
so the user Temp folder also stays on the C: drive.
Also, I’ve not had this running live in my environment for long, so there may be undesired side effects that I’ve yet to notice. If you find any please let me know!
Update 2014-02-06
Have been running this with no strange side effects (that I’ve been made aware of), I have several thousand users. The only downside (as mentioned above) is that if your storage is tight, each user will end with a copy of the ~33MB database file – but that’s not a problem with the workaround, it’s just how IE has been designed. You’ll get the same file stored on any machine running IE10 (or 11). And you’d get the same issue if the WebCacheV01.dat file had been stored in the Roaming part of the profile anyway.
Tip: Use a Windows 2012 (or higher) file server to hold the redirected application data and turn on data deduplication – these database files dedupe quite spectacularly – especially when they’re new as they’re mostly empty.
POCO, ACE, Loki и другие продвинутые C++ библиотеки
NullReferenced 13.05.2025
В C++ разработки существует такое обилие библиотек, что порой кажется, будто ты заблудился в дремучем лесу. И среди этого многообразия POCO (Portable Components) – как маяк для тех, кто ищет. . .
Паттерны проектирования GoF на C#
UnmanagedCoder 13.05.2025
Вы наверняка сталкивались с ситуациями, когда код разрастается до неприличных размеров, а его поддержка становится настоящим испытанием. Именно в такие моменты на помощь приходят паттерны Gang of. . .
Создаем CLI приложение на Python с Prompt Toolkit
py-thonny 13.05.2025
Современные командные интерфейсы давно перестали быть черно-белыми текстовыми программами, которые многие помнят по старым операционным системам. CLI сегодня – это мощные, интуитивные и даже. . .
Конвейеры ETL с Apache Airflow и Python
AI_Generated 13.05.2025
ETL-конвейеры – это набор процессов, отвечающих за извлечение данных из различных источников (Extract), их преобразование в нужный формат (Transform) и загрузку в целевое хранилище (Load). . . .
Выполнение асинхронных задач в Python с asyncio
py-thonny 12.05.2025
Современный мир программирования похож на оживлённый мегаполис – тысячи процессов одновременно требуют внимания, ресурсов и времени. В этих джунглях операций возникают ситуации, когда программа. . .
Работа с gRPC сервисами на C#
UnmanagedCoder 12.05.2025
gRPC (Google Remote Procedure Call) — открытый высокопроизводительный RPC-фреймворк, изначально разработанный компанией Google. Он отличается от традиционых REST-сервисов как минимум тем, что. . .
CQRS (Command Query Responsibility Segregation) на Java
Javaican 12.05.2025
CQRS — Command Query Responsibility Segregation, или разделение ответственности команд и запросов. Суть этого архитектурного паттерна проста: операции чтения данных (запросы) отделяются от операций. . .
Шаблоны и приёмы реализации DDD на C#
stackOverflow 12.05.2025
Когда я впервые погрузился в мир Domain-Driven Design, мне показалось, что это очередная модная методология, которая скоро канет в лету. Однако годы практики убедили меня в обратном. DDD — не просто. . .
Исследование рантаймов контейнеров Docker, containerd и rkt
Mr. Docker 11.05.2025
Когда мы говорим о контейнерных рантаймах, мы обсуждаем программные компоненты, отвечающие за исполнение контейнеризованных приложений. Это тот слой, который берет образ контейнера и превращает его в. . .
Micronaut и GraalVM — будущее микросервисов на Java?
Javaican 11.05.2025
Облачные вычисления безжалостно обнажили ахиллесову пяту Java — прожорливость к ресурсам и медлительный старт приложений. Традиционные фреймворки, годами радовавшие корпоративных разработчиков своей. . .
Browser Forensics is of no small importance in digital forensics for understanding how an attack on a computer or computer network began and finding the source of compromise. For example, if we investigate the web browser of a suspect and see that
the suspect was downloading or searching online for information on steganography and
encryption tools, this will give a clear sign that this user may employ such techniques to
conceal secret data. Also, the main sources of malware/spyware/adware are e-mails in addition to
social networking web sites, and all these resources are usually accessed using
web browsers.
Throughout the process of sending, receiving, processing, and presenting data, the browser creates many artifacts on a system. Nearly all web browsers maintain the following:
- History
- Cookies
- Cache
- Sessions
- Typed URLS
- Favourites
- Most visited sites
- Screenshots
- Form values (Searches, Autofills)
- Downloads
- Financial information
Difficulties of Web Browser Forensics
The following challenges may be encountered by a digital forensics examiner when analysing web browser artifacts:
- Many browsers, lots of data
- Encryption used to protect users’ data
- Use of Private mode or Incognito mode by the suspect in which the examined computer does not contain web browser artifacts
Forensics Analysis of Web Browser
The focus of this post is on Windows systems, so we will begin with the Windows
default web browser, Internet Explorer (IE), and its new successor, Microsoft Edge.
Internet Explorer
One of the most famous browsers in the web browser market is the Internet Explorer. Internet Explorer (IE) is a closed source web browser maintained by Microsoft. Microsoft purchased the underlying technology from Spyglass—the developers of the Mosaic web browser. IE is
installed by default on the Windows OS and is typically the browser most supported in
large-scale enterprises.
In Windows 10, Microsoft replaced Internet Explorer with Microsoft Edge. Microsoft Edge (code name Spartan) is the default
browser for Windows 10. This is a lightweight web browser that integrates with the
Cortana feature available in Windows 10, allowing a user to complete many tasks (e.g.,
open web pages, conduct online searches) using voice commands only. Microsoft plans to replace Internet Explorer with Microsoft Edge on all devices, including Android and iOS mobile devices. Internet Explorer and Microsoft Edge can work in InPrivate mode without storing information about the web activities of the user.
Cookies
\Windows\Cookies\ (Windows 98) (Internet Explorer)
\Documents and Settings\Administrator\Cookies (Windows 2000, Windows XP) (Internet Explorer)
\Users\%userprofile%\AppData\Roaming\Microsoft\Windows\Cookies (Windows 7) (Internet Explorer)
\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies (Windows 7) (Internet Explorer)
\Users\%userprofile%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat (Microsoft EDGE, Windows)
\Users\%userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\XXXXXXXX.cookie (or XXXXXXXX.txt file) (Microsoft EDGE, Windows)
\Users\%userprofile%\AppData\Local\Microsof\Windows\INetCookies\ (Microsoft EDGE, Windows)
\Users\%userprofile%\AppData\Local\Microsof\Windows\INetCookies\Low\ (Microsoft EDGE, Windows)
\Users\%userprofile%\AppData\Local\Packages\microsof.microsofedge_8wekyb3d8bbwe\AC\#!121\MicrosofEdge\Cookies\ (Microsoft EDGE, Windows)
\Users\%userprofile%\AppData\Local\Packages\microsof.microsofedge_8wekyb3d8bbwe\AC\MicrosofEdge\Cookies\ (Microsoft EDGE, Windows)
\Users\%userprofile%\AppData\Local\Packages\microsof.microsofedge_8wekyb3d8bbwe\AC\#!002\MicrosofEdge\Cookies\ (Microsoft EDGE, Windows)
\Users\%userprofile%\AppData\Local\Packages\microsof.microsofedge_8wekyb3d8bbwe\AC\#!001\MicrosofEdge\Cookies\ (Microsoft EDGE, Windows)
\Users\%userprofile%\AppData\Local\Packages\Microsof.SkypeApp_kzf8qxf38zg5c\AC\INetCookies\
Cache
\Users\%userprofile%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat (Microsoft EDGE)
\Users\%userprofile%\AppData\Local\Packages\microsof.microsofedge_8wekyb3d8bbwe\AC\MicrosofEdge\Cache\xxxxxxxx\ (Microsoft EDGE)
Favourites
\Users\%userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\ nouser1\120712-0049\BDStore (for later versions) (Microsoft EDGE)
\Users\%userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Favorites (for early versions) (Microsoft EDGE)
Session
\Users\%userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{07677C23-6987-4777-B133-5AC24BD039F5}.dat (Microsoft EDGE, Windows)
Session Recovery
\Users\%userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{A7D7A4FC-7458-11E6-9BCD-000C29566E3E}.dat (Microsoft EDGE)
Downloads
\Users\%userprofile%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat (Microsoft EDGE)
URLs
\Users\%userprofile%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat (Microsoft EDGE)
How These Data Are Stored
IE (version 9 and below) uses a file called index.dat; this is a database file used
to improve the overall performance of IE by indexing various contents (e.g., store
all the URLs you have visited using IE in addition to search queries, cookies, and
recently opened files) in one place to offer a more customized experience for the
user. For example, when a user wants to access a previously visited web page, IE
can autocomplete the web address as the user types it in the browser address bar by
retrieving browsing history from a particular index.dat file.
The location of index.dat files is different for each version of Windows; for instance,
index.dat files in Windows 7 can be found at the following locations.
\Users\%userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\index.dat\Users\%userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datOther locations of index.dat files in various Windows versions can be found here.
Newer versions of IE (versions 10 and 11), which come preinstalled with Windows 8
and 10, do not have index.dat files; instead, they use a file called “WebCacheV01.dat” to
store all user browsing information (the information that was previously handled by the
index.dat file). This file can be found at
\Users\%userprofile%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.datEdge browser storage relies on an ESE database named spartan.edb and WebCacheV01.dat to store its configuration settings; the
database is located at
\Users\%userprofile%\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\
MicrosoftEdge\User\Default\DataStore\Data\nouser1\xxxx-xxx\DBStore\spartan.edb
Google Chrome
Another popular web browser is Google Chrome. This is the fastest and most used web browser on desktop computers worldwide today;
most digital forensics examiners will likely come across this browser in one of their
investigations.
Google published much of the browser’s source code as part of the
open-source Chromium project. Google uses Chromium as the base source code and
adds in branding and a few features, including a Flash player, PDF viewer, and an auto-updater, before releasing it as Chrome.
Third-party developers have created a huge number of web browsers based on the Chrome Engine, such as: 360 Extreme Explorer, Avast SafeZone, Chromium, Comodo Dragon, CoolNovo, Cốc Cốc, Epic Browser, Flock, Vivaldi, Rockmelt, Sleipnir, SRWare Iron, Titan Browser, Torch Browser, Yandex.Browser, Opera, Orbitum, Breach, Nihrome, Perk, QIP Surf, Baidu Spark, Uran, Chromodo, Sputnik, Amigo, etc.
Most web browsers that are based on the Chromium project are going to store data
in a similar way; this fact allows examiners to use the same investigative techniques used
with Google Chrome to investigate these browsers, making investigating Google Chrome
act as a standard template for most Chromium-based web browsers.
Google Chrome store most of its
configuration settings and user private information in SQLite databases; these databases
are files without extensions, so do not get confused on how to open them when using
SQLite browser. Manual analysis of these databases and carving will allow you to extract the maximum amount of data.
The Google Chrome profile is where Google Chrome stores its configuration settings,
apps, bookmarks, and extensions. Google Chrome can have more than one profile;
however, there is also a default profile that can be found at:
\Users\%userprofile%\AppData\Local\Google\Chrome\User Data\Default
If there is more than one profile in Google Chrome, each profile will have its own
folder where browser settings and user (profile owner) private data (e.g., passwords,
browsing history, bookmarks, etc.) is stored. Google Chrome does not name any
additional profile according to its username; instead, it uses a generic name (e.g.,
Profile 1, Profile 2, and so on). The location of additional Chrome profiles can be
found here:
\Users\%userprofile%\AppData\Local\Google\Chrome\User Data\Profile x
#(x could be any positive integer number beginning from 1)
We can browse target sqlite database tables and their content using DB Browser for SQLite.
Firefox
Firefox is a free, open-source web browser developed by Mozilla; it is considered among
the most used web browsers among security and privacy experts. Mozilla and Chrome have a number of similarities in the way they store data. Mozilla,
like Chrome, stores nearly all of its data in files, and Mozilla uses SQLite and JSON
formats for most of its data storage.
For a given operating system user, Firefox can maintain multiple profiles—although
most users generally have only one. The data for each Firefox profile is stored in an
eight-character randomly named directory with an extension of “.default” under the
Profiles directory—for example, e91fmfjw.default. In Windows and OS X, Firefox
places these profile directories in a sub-directory named “Profiles.” Under Linux, the
Firefox profile directories are in the “firefox” directory—there is no additional Profiles
directory layer. One nice thing about Firefox data is that, in general, a given version of
Firefox uses the same file names across all operating systems. In addition, the file
names have been the same since around the time Firefox version 5 was released.
|
File Name |
Format |
Purpose |
|
cookies.sqlite |
SQLite |
Stores cookie data |
|
places.sqlite |
SQLite |
It stores web history, download history, and |
|
formhistory.sqlite |
SQLite |
Stores form history for autocomplete features |
|
downloads.sqlite |
SQLite |
Stores download information |
|
prefs.js |
JS |
Stores Firefox user configuration preferences |
|
key4.db and logins.json |
DB, JSON |
Saves user passwords. (Older versions of Firefox use the name key3.db for |
|
addons.json |
JSON |
Views installed add-ons on Firefox. |
|
extension-data |
Folder |
data generated by installed extensions (add-ons). |
You can access the profile of the suspect at the following location:
\Users\%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\
\Users\%userprofile%\AppData\Local\Mozilla\Firefox\Profiles\
We can browse target sqlite database tables and their content using DB Browser for SQLite.
In this post, we shed light on how to perform a manual forensic analysis of major web browser artifacts. Please
keep in mind that commercial forensics suites have the ability to analyse and extract
information contained in various web browsers automatically. As we always repeat,
consult a computer forensic tool’s features list for the ability to investigate different web
browsers’ data before buying it.
Techniques that can be used to discover evidence in support of an assets physical location, network connectivity and web browser history post-breach. More useful in investigation relating to insider threat or more commonly during the COVID Pandemic, attacks originating from employees working away from the office.
Windows
Timezone
Identification of the systems timezone can grant information that could indicate the an assets physical locale.
WIN: XP+
SRV: 2003+
Location
1 |
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation |
Interpretation and Investigative Notes
- Internal logs and DTG stamps will be based on the control set saved in the registry key.
- Other network sourced logs will need to be correlated for any time difference/skew.
Tools
- Registry Explorer (RECmd)
Sources
- Microsoft — HKLM\System\CurrentControlSet\Control Registry Tree
Browser Cookies
Cookies give insight into which sites have been visited and the activities that occurred on the site.
WIN: XP+
SRV: 2003+
Location
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# INTERNET EXPLORER # Versions 6-10 %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies # Version 11 %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookies # MOZILLA FIREFOX # WINDOWS XP %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\cookies.sqlite # WINDOWS 7+ %USERPROFILE%\AppData\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\cookies.sqlite # GOOGLE CHROME # WINDOWS XP %USERPROFILE%\Local Settings\ApplicationData\Google\Chrome\User Data\Default\Local Storage # WINDOWS 7+ %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Local Storage |
Interpretation and Investigative Notes
- Google Analytics (GA) has developed an extremely sophisticated methodology for tracking site visits, user activity, and paid search. Since GA is largely free, it has a commanding share of the market, estimated at over 80% of sites using traffic analysis and over 50% of all sites.
- _utma (Unique Visitors)
- Domain Hash
- Visitor ID
- Cookie Creation Time
- Time of 2nd most recent visit
- Time of most recent visit
- Number of visits
- _utmb (Session Tracking)
- Domain Hash
- Page views in current session
- Outbound link clicks
- Time current session started
- _utmz (Traffic Sources)
- Domain Hash
- last Update Time
- Number of visits
- Number of different types of visits
- Source used to access site
- Google AdWords campaign name
- Access Method (organic, referral, cpc, email, direct)
- Keyword used to find site (non-SSL only)
- _utma (Unique Visitors)
Tools
- Registry Explorer (RECmd)
- Google Analytic Cookie Cruncher
- AZ4n6 — Google Analytic Cookie Parser
Sources
- Hacking Articles — Beginner Guide to Understanding Cookies Session Management
- Acquire Forensics — Google Chrome Browser Forensics
- Google — Analytics
- Hats Off Security — Google Analytic Cookies
WLAN Event Log
Determine what wireless connections have been established, displays SSID.
WIN: 7+
SRV: Not Tested
Location
1 |
Microsoft-Windows-WLAN-AutoConfig Operational.evtx |
Interpretation and Investigative Notes
- Event IDs
- 11000: Wireless network association started
- 8001: Successful connection to wireless network
- 8002: Failed connection to wireless network
- 8003: Disconnect from wireless network
- 6100: Network diagnostics (
System.evtx)
Tools
- Event Log Explorer
- Event Log Parser (EvtxECmd)
- Native Event Viewer
Sources
- SANS — Making the out of WLAN Event Log
Browser Search Times
Records websites visited by date and time. Details are stored for each local user account. Records the number of times visited (frequency) and also tracks access of local system files. Includes the website history of search terms in search engines.
WIN: XP+
SRV: Not Tested
Location
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# INTERNET EXPLORER # Versions 6-7 %USERPROFILE%\Local Settings\History\History.IE5 # Versions 8-9 %USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5 # Versions 10-11 %USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat # MOZILLA FIREFOX # WINDOWS XP %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\places.sqlite # WINDOWS 7/8/10 %USERPROFILE%\AppData\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\places.sqlite |
Interpretation and Investigative Notes
Tools
- SQLECmd
- Chromium Parser
- Mozilla Cache Parser
Sources
- Nasbench — Web Browser Forensics
System Resource Usage Monitor (SRUM)
Records 30 to 60 days of historical system performance. Applications run, user account responsible for each, and application and bytes sent/received per application per hour.
WIN: 8+
SRV: Not Tested
Location
1 2 3 4 5 |
SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions SOFTWARE\Microsoft\WlanSvc\Interfaces C:\Windows\System32\SRU\ |
Interpretation and Investigative Notes
- SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions
- Windows Network Data Usage Monitor
{973F5D5C-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
- Windows Network Connectivity Usage Monitor
{DD6636C4-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
- Windows Network Data Usage Monitor
Tools
- Forensafe
- SRUM Parser (SrumECmd)
- SRUM Dump
Sources
- Velociraptor — Digging Into the System Resource Usage Monitor (SRUM)
Browser Cache
The Browser cache is where web page components can be stored locally to speed up subsequent visits. It can be used to glean further information on what a user was actively looking at online. Providing the following information:
- Websites visited
- Files viewed on a website visited (caches files are linked to specific local accounts)
- Timestamps indicate when site was first saved and last accessed.
WIN: XP+
SRV: Not Tested
Location
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# INTERNET EXPLORER # Versions 8-10 %USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 # Version 11 %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IE # Edge %USERPROFILE%\AppData\Local\Packages\microsoft.micosoftedge_<APP ID>\AC\MicrosoftEdge\Cache # MOZILLA FIREFOX # WINDOWS XP %USERPROFILE%\Application Data\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\cache # WINDOWS 7+ %USERPROFILE%\AppData\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\cache # GOOGLE CHROME # WINDOWS XP %USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\ - data_# and f_###### # WINDOWS 7+ %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Cache- data_# and f_###### |
Interpretation and Investigative Notes
Tools
- SQLECmd
- Chromium Parser
- Mozilla Cache Parser
- Microsoft Edge Dev Tools
Sources
- Nasbench — Web Browser Forensics
- Acquire Forensics — Google Chrome Browser Forensics
Flash and Super Cookies
Local Stored Objects (LSO’s), or Flash Cookies, have become ubiquitous on most systems due to the extremely high penetration of Flash applications across the internet. They tend to be much more persistent because they do not expire, and there is no built-in mechanisms within the browser to remove them. In fact, many sites have begun using LSOs for their tracking mechanisms because they rarely get cleared like traditional cookies.
Provides the following information:
- Websites visited
- User account used to visit the site
- When cookie was created and last accessed
WIN: 7+
SRV: Not Tested
Location
1 |
%APPDATA%\Roaming\Macromedia\FlashPlayer#SharedObjects<random_profile_id> |
Interpretation and Investigative Notes
Tools
- SQLECmd
- Chromium Parser
- Mozilla Cache Parser
- Microsoft Edge Dev Tools
Sources
- Nasbench — Web Browser Forensics
- Forensics From the Sausage Factory — Adobe Flash Player Local Shared Objects
Session Restore
Automatic Crash Recovery features built into the browser.
WIN: 7+
SRV: Not Tested
Location
1 2 3 4 5 6 7 8 |
# INTERNET EXPLORER %USERPROFILE%\AppData\Local\Microsoft\Internet Explorer\Recovery # MOZILLA FIREFOX %USERPROFILE%\AppData\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\sessionstore.js # GOOGLE CHROME %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\ |
Interpretation and Investigative Notes
- Historical Websites viewed in each tab
- Referring Websites
- Time session ended
- Modified time of .dat files in LastActive folder
- Time each tab opened (only when crash occurred)
- Creation time of .dat files in Active Folder
Tools
- SQLECmd
- Chromium Parser
- Mozilla Cache Parser
- Huge JSON Viewer
Sources
- Computer Forensics Parsonage — Web Browser Session Restore Forensics
- Acquire Forensics — Google Chrome Browser Forensics
You can delete it. However, it can delete some of the custom app settings and you’ll need to set them again. WebCache is mostly for storing internet cache and deleting it would be safe.
How does IE cache work?
As Internet Explorer writes files to the cache folders, it checks to see if a file with the same name already exists. This is frequently the case when web developers do not use imaginative or descriptive names for their files. If the file already exists within the folder, Internet Explorer will increment the counter.
How do I view IE cache?
Click the “View files” button in the Temporary Internet Files section to open the Internet page cache in Windows Explorer and view the cached pages and objects.
Is it OK to delete DirectX shader cache?
DirectX Shader Cache contains the files that are created by the graphics system. These files can be used to speed up application load time and improve responsiveness. If you delete them, they will be re-generated as needed. But, if you believe the DirectX Shader Cache is corrupt or too large, you can delete it.
Where are temporary files stored?
For the windows client, temporary files are stored in the user’s temporary folder, e.g. C:\Users\\AppData\Local\Temp. For the web clients it is handled by the browser.
What is WebCache folder?
The WebCache folder is used for the cache/history of Internet Explorer, you can safely delete it’s content if you want. It should normally be deleted by CCleaner. Plus, most of these text files content are encrypted, so good luck trying to understand anything out of it.
Is AppData local safe to delete?
You can safely remove anything in the folder, but you may not be able to delete items that are in use. Likely safe locations to delete files and folders from: C:\Windows > Temp. C:\Users > username > AppData > Local > Temp.
How do I hard refresh ie11?
Internet Explorer Browser Hold down Ctrl and click F5. 2. Hold down Ctrl and click the Reload button.
How long does a browser cache last?
The response can be cached by browsers and intermediary caches for up to 1 day (60 seconds x 60 minutes x 24 hours). The response can be cached by the browser (but not intermediary caches) for up to 10 minutes (60 seconds x 10 minutes).
Where is ie11 cache stored?
C:\Users\\AppData\Local\Microsoft\Windows\INetCache.
What files should you not delete in Disk Cleanup?
Overall, you can safely delete almost everything in Disk Cleanup as long as you don’t plan on rolling back a device driver, uninstalling an update, or troubleshooting a system problem. But you should probably steer clear of those “Windows ESD Installation files” unless you’re really hurting for space.
Where does IEIE store its cache?
IE does not care where it is stored, it just uses the shell:cache location defined by the operating system. Windows + E, Alt-d, shell:cache, and Enter in both OS’s should get you there for either OS. Regards, Dave Patrick ….
How do I clear the cache in Internet Explorer?
However, it’s best to run the latest version of IE if you can. Avoid clearing the cache in IE manually by using a program that does it for you. One popular system cleaner is CCleaner. Make sure the Temporary Internet Files option is chosen under the Internet Explorer area of the Custom Clean section.
Where are the cache files located in Windows 10?
%USERPROFILE%\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low and %USERPROFILE%\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5 – these are cache locations.
Where does Internet Explorer store temporary Internet Files?
By default, Internet Explorer stores temporary internet files in this folder: %LocalAppData%\\Microsoft\\Windows\\INetCache\\. You can, however, change this folder location at will. You could avoid clearing the cache in IE manually be using a program that does it for you.