Internet Explorer 10, 11, Microsoft Edge Forensic Tool

IE10Analyzer Download Link : Click this


1. Introduction

 Since 1994, a database engine developed by Microsoft, called Extensible Storage Engine (ESE), or JET Blue, has been used mainly in web browsers (e.g. Internet Explorer, and Microsoft Edge)

 Chivers and Hargreaves found through analyzing Windows Search that deleted records remain in the database because of B-Tree [1]. Using the same method, Chivers carved deleted records in the WebCacheV01.dat file which is used in Internet Explorer version 10 or above, analyzed recovered records, and then identified bit masks that can distinguish Private browsing from type items [2]. Furthermore, Chivers researched in which situation it is possible to recover Private browsing. These two studies of Chivers all analyzed records by using a tool operating based on the database API. This tool needs to switch the database in the dirty state to the clean state, This switch may remove most recent Private browsing records that remain only in the dirty state. Also, the tool cannot recover values saved in long value pages, and the final items of records.

Results recovered by using ESE carve

Results recovered by using IE10Anlayzer

 There are two reasons that it is possible to recover deleted records in the ESE database file. Firstly, if the Data page or the Long value page are turned into the Branch page, the pre-existing data remains in the Branch page. Secondly, if records are deleted, the tag are and the data are not deleted, but rather the number of record and the kind of pages change only.

 Previously, I made a tool which is able to recover deleted records from ESE database. But this tool has some constraints to analyze IE 10, 11 and Microsoft Edge. To analyze IE history, the following functions are required.

1) extracting strings from ResponseHeaders fields
   - HTTP Response Header
   - Download information
   - Web page title

2) url decoding

3) difference between private browsing and normal browsing

 So, I additionally make a program which is only used to analyze IE10, Microsoft Edge. The program name is IE10Analyzer and .net 4.0 version must be installed .


2. Internet Explorer 10, 11, Microsoft Edge Forensic on Windows 10

(Before I write this post, I have used Internet explorer and Edge.)

1) Clear browsing data to be exact.

2) Search for 'Microsoft Edge' and 'notepad' in Google.

3) Download notepad++.exe

4) Run IE10Analyzer

5) Start the analysis and Set UTC Time

6) Confirm the result
  - web page title (remains!)

  - download information (remains!)

  - HTTP response header (remains!)

  - Existing Internet Explorer data (remains!)

7) Clear browsing data on Internet Explorer

8) Start InPrivate Browsing

9) Confirm the result about recovered data

10) Confirm the result about private browsing

[1] H. Chivers and C. Hargreaves, “Forensic data recovery from the windows search database,” Digital Investigation, vol. 7, no. 3-4, pp. 114-126, Apr. 2011.

[2] H. Chivers, “Private browsing: A window of forensic opportunity,” Digital Investigation, vol. 11, no. 1, pp. 20-29, Mar. 2014.