Tools which protect our privacy. Post your tools / ways you are using and opinions.

KnowledgeableNewbie · Oct 7, 2014

coleoptere2007 said: ↑

Tails seems also a good choice
Click to expand...

yes downloaded it about a month ago. although it's an OS. also Tor Browser Bundle and Blackbelt Privacy.

KnowledgeableNewbie · Oct 7, 2014

Mikorist said: ↑

Germany Claims the NSA Has Access to Every Windows 8 Computer

Germany Claims the NSA Has Access to Every Windows 8 Computer

- Some comments:

Click to expand...

lol. believe it or not the NSA has access to a lot more than Windows 8.

KnowledgeableNewbie · Oct 8, 2014

M0rriss0n said: ↑
Hello Forum members,

Today I want to bring up a concern I have with WebCacheV01.dat.
There is not a lot of information on this topic since I started to investigate December 2013.
What do I have:
Eric Lawrence's explanation (he worked on the development for this database)

IE10's index.dat files replaced with a cache database 4/3/2013 5:27:00 PM

Someone mailed me off my old IEInternals blog to ask me about IE10's move from index.dat files to the WebCacheV01.dat database file. They had a number of questions and it occurs to me that this probably isn't written up anywhere else. So, for posterity (and with the caveat that I can't speak for Microsoft):
Q: Why the change? Why are browsing artifacts are still present in other locations?
A: The old index.dat files represented a cross-process memory-mapped index file for the internet cache entries. This index was designed for optimal performance on common computers of the mid-1990s; for instance, the data structures it used were designed to fit in the on-chip cache of a 486 processor. Since then, processors have grown far more powerful, with larger caches, etc. As a consequence, the old cache index code was no longer very efficient (especially for operations that proper databases are good at, like running multi-condition queries). By moving this cache to a proper database, it simplified code, improved performance, and enhanced durability/reliability.
When you say “why are browsing artifacts are still present in other locations,” I can only assume that you’re referring to the cache files themselves? Keep in mind that the new database and old index.dat are simply an index to those files on disk. You may wonder why browsers store the response bodies in files rather than inside the database itself—this is done for both performance and compatibility reasons.
Q: Why is this file loaded when Windows starts even before IE loads?
A: The cache is an integral part of WinINET, a core networking component in Windows. WinINET’s cache isn’t just the browser’s cache—it’s also used by most Metro applications, Windows components, and tens of thousands of other applications that rely on WinINET. That’s why, for instance, when you uninstall IE from Windows, WinINET and its data stores remain on the system. The database is loaded by the cache service in order to handle requests from applications that depend on WinINET. Deleting the database would be very bad from a privacy point of view, because the database tracks which files need to be deleted when you use the Delete Browser History / Clear Cache commands. If you were to obliterate this index, these files would be orphaned and present a privacy risk.
Q: Why is there a delay in writing to the database after the browser closes?
A: I’m not sure what specific “delay in writing to the database” that you’re referring to, but I assume this is simply related to how most databases work—there’s an in-memory representation that is periodically flushed to disk for both performance and hardware-durability reasons (most SSDs have a limited number of write-cycles, for instance).
Q: Why is the extension .DAT instead of .EDB which is used by other Ese databases.
As to why the extension is .DAT, I don’t know, but I assume that this is probably a historical artifact related to the fact that WinINET’s cache indicies have always been named *.dat.

Q: Do IE10 on Win7 and IE10 on Win8 cache data in the same way?
A: I think the answer you’re looking for is “essentially.” The one caveat is that Windows 8’s Enhanced Protected Mode feature uses AppContainers for isolation of content; this feature is an evolution of the Protected Mode feature introduced with Windows Vista.

A forensic research on the database

KANDIDATUPPSATS
Halmstad, 2013-07-05
Forensic analysis of the ESE database in
Internet Explorer 10
Bonnie Malmström & Philip Teveldal
IT-forensik och informationssäkerhet
Teknologie kandidatexamen i datateknik, 15 hp
Forensic analysis of the ESE database in Internet Explorer 10
Bachelor thesis
June 2013
Authors: Bonnie Malmström & Philip Teveldal
Supervisor: Mattias Weckstén
Examiner: Urban Bilstrup
School of Information Science, Computer and Electrical Engineering
Halmstad University
PO Box 823, 301 18 HALMSTAD, Sweden
I
© Copyright Bonnie Malmström & Philip Teveldal, 2013. All rights
reserved
Bachelor thesis
School of Information Science, Computer and Electrical Engineering
Halmstad University
II
Preface
This project started out as a collaboration with the Swedish Tax Agency (SKV)
Gothenburg. Due to me issues, they are not able to acquire images of drive in many of their investigations and are thus forced to gather as much data as
possible using live forensics. They presented us with a problem they encounter
while doing live forensics on various systems; the browser artifacts are often
difficult to acquire due to outdated software or time-frame problems. In early
draft versions our project goal was therefore to create a script for EnCase, using
EnScript, which would be able to parse web artifacts from the latest versions of
the browsers Internet Explorer, Firefox, Chrome, Safari and Opera – and
present this in an easily-readable format. However, as the project developed we
were facing the many changes present in the newly released Internet Explorer
10 (i.e., the change of database from index.dat to WebCacheV01.dat). We could
only find very sparse information about the new database in IE10, and the
project evolved into mainly targeting the forensic aspects of Internet Explorer
10 and the behavior of WebCacheV01.dat.
III
IV
Acknowledgements
We are very thankful to everyone who supported us in our work by providing
their ideas, criticism and time.
We would like to thank our supervisor Mattias Weckstén for providing us with
great guidance and pointing us in the right directions.
Further, we would also like to thank Anders Lager at the Swedish Tax Agency
who helped us come up with the initial idea to this project, even though it later
evolved into something pretty different.
Finally, we would like to thank Howard Chivers for letting us experiment with
his program wdsCarve, and for taking the time to help us when we got stuck.
V
VI
Abstract
With Internet Explorer 10, Microsoft changed the way of storing web related
information. Instead of the old index.dat files, Internet Explorer 10 uses an ESE
database called WebCacheV01.dat to maintain its web cache, history and
cookies. This database contains a wealth of information that can be of great
interest to a forensic investigator. This thesis explores the structure of the new
database, what information it contains, how it behaves in different situations,
and also shows that it is possible to recover deleted database records – even
when the InPrivate browsing mode has been used.
VII
VIII
Contents
Preface ................................................................................................................................ II
Acknowledgements ....................................................................................................... IV
Abstract .............................................................................................................................. VI
Contents .......................................................................................................................... VIII
List of Figures ................................................................................................................... X
List of Tables .................................................................................................................. XII
List of Abbreviations .................................................................................................. XIV
1 Introduction ..............................................................................................................1
1.1 Motivation ..................................................................................................................... 1
1.2 Problem Description ................................................................................................. 2
1.3 Related Work ............................................................................................................... 2
1.4 Thesis Outline .............................................................................................................. 3
2 Technical background ...........................................................................................5
2.1 Extensible Storage Engine ....................................................................................... 5
2.2 Web browser caching ................................................................................................ 6
3 Methodology ..............................................................................................................9
3.1 Tools Used ..................................................................................................................... 9
4 WebCacheV01.dat ................................................................................................. 12
4.1 The Internet Explorer 10 WebCache directory ............................................ 12
4.2 ESE logging explained ............................................................................................ 13
4.3 ESE database cache in-depth ............................................................................... 14
4.4 Using esentutl to recover a ESE database ....................................................... 15
4.5 Looking at WebCacheV01.dat through a hex editor .................................... 16
5 Experiments ........................................................................................................... 19
5.1 Preparing the lab environment .......................................................................... 19
5.2 Acquiring files from the WebCache directory ............................................... 20
5.3 Experiment 1: Database overview ..................................................................... 21
5.4 Experiment 2: Recovery of deleted database records ................................ 24
6 Results & Discussion............................................................................................ 31
6.1 Experiment 1 ............................................................................................................. 31
6.2 Experiment 2 ............................................................................................................. 32
7 Conclusion ............................................................................................................... 34
7.1 Future Work .............................................................................................................. 34
References ....................................................................................................................... 36
Appendix A ....................................................................................................................... 39
IX
X
List of Figures
Figure 1: Simplified overview of a B-tree ............................................................................ 6
Figure 3: Example of the output generated by the /mh switch ............................... 15
Figure 4: Hex view of the database header ...................................................................... 17
Figure 2: MD5 hashes for the database acquired in two different manners ....... 20
Figure 5: Left side of the table named “Contaers”, providing information such
as container IDs and name of the data stored in the specific containers ............. 21
Figure 6: Right side of the table named “Containers”, providing the full paths to
the data stored in the containers ......................................................................................... 22
Figure 7: CMD input .................................................................................................................. 24
Figure 8: Files contained within the folder History.IE5 shown with command
“dir” in CMD .................................................................................................................................. 24
Figure 9: Using prefix /a with command “dir” we see the index.dat inside the
MSHIST01 folder ........................................................................................................................ 24
Figure 10: Options to delete browsing history in Internet Explorer 10 ............... 25
Figure 11: Browsing history present in the last acquired database ...................... 27
Figure 12: Initiate the database carving ........................................................................... 27
Figure 13: Overview of the output data from wdsCarve performed on the last
acquired database. ..................................................................................................................... 28
Figure 14: Carving shows database records of InPrivate browsing....................... 29
XI
XII
List of Tables
Table 1: Overview of files in the WebCache directory ................................................. 12
Table 2: Overview of containers in WebCacheV01.dat ............................................... 32
XIII
XIV
List of Abbreviations
API Application Programming Interface
CPU Central Processing Unit
ESE Extensible Storage Engine
FTP File Transfer Protocol
HTTP Hypertext Transfer Protocol
xplorer
IEF ternet Evidence Finder
ISAM Indexed and Sequential Access Method
JET Joint Engine Technology
MD5 Message Digest Algorithm 5
NTFS New Technology File System
OS Operating System
RAM Random Access Memory
SKV Skatteverket (Swedish Tax Agency)
URL Uniform Resource Locator
W7 = Windows 7
XV
Forensic analysis of the ESE database in Internet Explorer 10
- 1 -
1 Introduction
Today, computers are a big part of many peoples’ lives. Many times they are
nnected to the Internet and we use them to play games, find information and
communicate with others – among many other things. It is likely that most of
the time spent on the Internet is while interacting with a web browser. The
browser is the program we use to access, view and communicate with web sites
and other documents and files stored on web servers. Every visited page, every
bookmark and every viewed document can leavtraces on the user’s system,
and this is why web history analysis has become such an important part of a
computer forensic investigation.
1.1 Motivation
The increasing number of both criminal and civil cases is developing towards
relying heavily on digital evidence and Internet activity. The ability to examine
a criminals browsing history is often critical in not only high-profile criminal
cases, but also in minor fraud cases. Web browser artifacts can help find
offenses ranging from corporate policy violations, committed by employees of
the company, to more serious crimes like child pornography or hacking related
offenses. Even if the investigatcrime itself isn’t a literal computer crime (i.e.,
the computer has not been used in the commission of the crime), the suspect
may still have used a web browser to search for information related to the
crime. By retrieving the browser history, cookies, cache and downloaded files,
it is possible to determine the suspect’s online activity.
In the 2001 book Computer Forensics: Incident Response Essentials, authors
Kruse and Heiser define computer forensics as “the science of acquiring,
retrieving, and presenting data that has been processed electronically stored on computer media” [1]. There are programs out there that can lift and
present information from Internet Explorer 10 (e.g., Internet Evidence Finder
[2]), but in order to be a good forensic investigator, one also needs to
understand why artifacts ext, where they are, and how they got there. That is
why the focus of this thesis is about the structure of the database and its value
in a computer forensic investigation.
Forensic analysis of the ESE database in Internet Explorer 10
- 2 -
1.2 Problem Description
With the launch of Windows 8 in October, 2012, the general public was
introduced to Internet Explorer 10. From a forensic perspective, the most
important change is that the previously used index.dat files are now replaced
with an ESE (also known as JET Blue) database, named WebCacheV01.dat. This
renders most of the previous Internet history grabbers obsolete when dealing
with Internet Explorer 10. As IE10 was released for Windows 7 in February
2013, it is safe to assume forensic investigators will now come across more
systems running IE10, especially as Windows 7 is the most used OS as of April,
2013 [3, 4]. The main problem is that there is a lack of information about this
specific ESE database, and that makes it hard to know its real value in an
investigation. To get a better understanding of its value as a forensic artifact, it
needs to be examined.
To help us focus our research and get a better understanding of what has to be
examined, we have defined four research questions.
 What is the basic structure of the database?
 What information is stored in the database?
 Is any data from an InPrivate browsing session stored in the database?
 Is it possible to recover deleted records from the database?
1.3 Related Work
We have yet to find any papers on the specific WebCacheV01.dat database, but
there are some reports on other ESE databases that have proven to be good
resources.
For our experiments on the structure of the database, we used a paper written
by Joachim Metz, “Extensible Storage Engine (ESE) Database File (EDB) format
specification” [5], as a reference. By spending a lot of time reverse engineering
the ESE file format, Metz has figured out a great deal about the format.
Howard Chivers and Christopher Hargreaves have published a paper on how to
recover data from a different ESE database – the Windows Search Database.
Their paper, “Forensic data recovery from the Windows Search Database” [6],
has been invaluable for us, as it lead us to Chivers, who kindly let us use his
program wdsCarve to experiment with the recovery of deleted database
records.
Forensic analysis of the ESE database in Internet Explorer 10
- 3 -
We have also looked into the report “Forensic examination of Windows Live
Messenger 2009 Extensible Storage Engine” [7] by Wouter van Dongen, Willem
Toorop and Joeri Blokhuis. It proved to be a good resource on how to analyze
the structure and behavior of an ESE database.
1.4 Thesis Outline
This thesis has been divided into chapters which are organized as follows.
 Chapter 2 presents some background information regarding the ESE file
format and web browser caching.
 Chapter 3 presents the method used to examine the database.
 Chapter 4 presents a brief overview of the ESE file format followed by an in-
depth part about ESEs log and cache functions with focus on Internet
Explorer 10.
 Chapter 5 presents the conducted experiments.
 Chapter 6 presents the results and a discussion of the experiments.
 Chapter 7 presents the conclusion of the thesis; what has been done and what
has been achieved.
Forensic analysis of the ESE database in Internet Explorer 10
- 4 -
Forensic analysis of the ESE database in Internet Explorer 10
- 5 -
2 Technical background
To better understand why and how things happen and becomes possible with
the ESE database a more technical knowledge is needed about the basic
function of ESE and how it performs its cache operations.
2.1 Extensible Storage Engine
The Extensible Storage Engine, or simply ESE, is a highly advanced indexed and
sequential access method (ISAM) from Microsoft. It is very versatile when it
comes to handling different data sizes, ranging from very small to very large (1
MB – 1 TB). ESE uses a crash recovery system to make sure data can be
consistent even in the event of a system crash. Its advanced caching system
makes sure ESE has a consistent high performance when accessing data. The
software itself is very “lightweight” making it ideal for running in auxiliary
roles.
The primary role for ESE is to be used where the need for fast and light data
storage is of importance. Apart from being used as the main storage of web
history in Internet Explorer 10, it is also used by applications such as Windows
Mail, Windows Desktop Search, Microsoft Exchange Server, Active Directory
and Windows Live Messenger, among many others.
ESE was first introduced in Wdows 2000 and was formerly known as JET
Blue. The term JET (Joint Engine Technology), however, can also refer to a
different API, called JET Red, which is very different from JET Blue. [8]
e ESE uses a single DLL file that comprises the whole user-mode (ent.dll).
This binary file allows the user to make advanced queries to the database and is
throughout quite powerful. [9]
The unit of storage in the ESE database is called a page. The current version Windows 7 uses a 32 kB page size. All database records are stored within
different pages and, ith the exception of "long" records, every reference an reneed to fit within a single page. The ESE database is structured
according to the B-tree. One could imagine the structure of the B-tree like a
flipped tree, i.e., the stem and root of the tree is at the top and the branches
reaches downwards. A simplification of the idea can be seen in figure 1 on the
next page.
Forensic analysis of the ESE database in Internet Explorer 10
- 6 -
Figure 1: Simplified overview of a B-tree
The B is usually considered to stand for "balanced", and this refers to the fact
that the length of the path from the root to every database entry is the same.
This means that finding any entry in the database consists of the same amount
of decisions. The "balancing" part that takes place within the ESE database
consists of constantly moving around records and entries. The important
aspect being that the database doesn't perform an overwrite of the space
marked for deletion if a cord was to be moved. Because of this there is a high
probability that re arolder copies of records still present in unallocated
space, as long as they have not yet been overwritten by another record. [6]
2.2 Web browser caching
Many web sites contain the same elements on most of their pages, for example;
the favicon, images, CSS, and so on. The browser cache exists because someone
once came up with the idea that it is faster to open these files from your hard
disk than to download them from the Internet. So instead of downloading files over and over, the browser downloads them once and stores them on the
hard disk.
The cache is used to improve how fast data is loaded while browsing. Most
times, when a web page is accessed, it is downloaded to the browsers cache on
the hard drive. The next time that page is accessed, and has not been modified,
Forensic analysis of the ESE database in Internet Explorer 10
- 7 -
the browser will stead open it using the files stored in the cache. Deleting the
cache from within the browser will force it to download all files again and
rebuild the site with fresh content.
All this dowloaded content can help build a map over a user’s browsing
history and online habits.
Forensic analysis of the ESE database in Internet Explorer 10
- 8 -
Forensic analysis of the ESE database in Internet Explorer 10
- 9 -
3 Methodology
Because of the general lack of information regarding this specific subject we
have chosen to use an empirical research method [21]. We have performed
experiments based on our defined research questions and this method allows
us to draw from previous knowledge when we look at results and conclusions.
3.1 Tools Used
In order to successfully analyze the WebCacheV01.dat database, we have used a
variety of tools and programs. Here follows a presentation of each program and
also our motivation as to why we chose to work with these specific programs.
VMware Workstation v9.0.2
VMware Workstation [11] is a virtualization software that enables the user to
set up one or more virtual machines and use them on the actual machine. There
are many similar programs (for example VirtualBox, Xen and Kernel-based
Virtual Machine (KVM)), but we chose VMware since we have previously
worked with their software and felt comfortable using it again as it have the
functionality we require.
ShadowCopy v2.02
ShadowCopy [12] is a program from Runtime that lets you copy any file even if
it is locked by Windows. This program was recommended on some of the blogs
we read about acquiring the locked ESE database.
ESEDatabaseView v1.07
ESEDatabaseView [13] is a program by Nirsoft built to access ESE databases.
We used it to get an overview of the database and to verify what data had been
stored in our experiments. We also tried another software (Woanware’s
EseDbViewer), but felt that ESEDatabaseView was easier to use.
Forensic analysis of the ESE database in Internet Explorer 10
- 10 -
WinHex 17.0
WinHex [14] from X-Ways is a hexadecimal file editor, used to inspect and edit
files. We used it to look at the structure of the WebCacheV01.dat database. Why
we chose to work with WinHex is nothing more but personal flavor, we tried
other editors as well and they worked fine.
wdsCarve v1.13
This program [15], created by Howard Chivers, iforensic tool used to inspect
and carve the contents of an ESE database. It is available from the author for
forensic examiners and researchers.
Forensic analysis of the ESE database in Internet Explorer 10
- 11 -
Forensic analysis of the ESE database in Internet Explorer 10
- 12 -
4 WebCacheV01.dat
As most forensic rearchers know, IE used to keep track of cached files on the
system in index files called index.dat. The new ESE database introduced in IE10
is still just an index (i.e., it points to cached files on the system, but doesn’t
contain the actual files). So why change what is already working?
After email contact with Eric Lawrence, a former Microsoft employee working
with the construction of IE10, we learned that the old index.dat files, which
were used in Internet Explorer 1 through 9 to cache entries, were cross-process
memory-mapped index files. These index files were designed for optimal
performancfor the most common computers of the early-mid 1990s. For
instance, the data structure that was used in the index file was designed to fit
on the on-chip cache of a 486 processor. Since then, processors have grown
much more powerful (e.g., larger caches and faster clock). Because of this, the
old cache index code was no longer very efficient, especially compared to
opations that proper databases are good at, like running multi-condition
queries. The decision to move the old cache index to a proper database helpe simplify the code, improved performance and enhanced both durability and
reliability of the caching process.
4.1 The Internet Explorer 10 WebCache directory
Internet Explorer 10 has its main storage of database files in the following
directory:
%systemdrive%\Users\%user%\AppData\Local\Microsoft\Windows\WebCache
Inside the folder is a bunch of files that work together in different ways, see
table 1.
Table 1: Overview of files in the WebCache directory
File type: Filename:
Checkpoint file V01.chk
Transaction log file V01.log
Reserved transaction log file V01res#####.jrs
Reserved transaction log file V01res#####.jrs
Transaction log file V01#####.log
ESE database WebCacheV01.dat
Forensic analysis of the ESE database in Internet Explorer 10
- 13 -
Note: V01 is the base used for all files in the WebCache directory in the current
releases of Windows 7 and 8. There have also been reports on V16 and V24 but
they seem to belong to old beta versions of Windows 8.
4.2 ESE logging explained
The very first time we acquired a copy of the database we were brought to the
attention that it did not always update properly after the browser was shut
down. In order to better understand this we decided to look into the caching
process of the ESE.
Transaction log files contain all tdifferent database operions before they
are written to the database file. They are used to bring the database up to dat if the system crashes or if there is any process terminationrelevant to the
database operations. The .log files are recognized by Windows as text files but
are actually written in binary format. If the log files needs to be used for a
database recovery the restoration process is called a soft recovery, as opposit to a hard recovery which is done when the log files are missing. The log files are
of a fixed size, where the size is determined by a pre-configured value called
JET_paramLogFileSize. When the log file is “filled” it gets renamed into
<base><generation>.log (e.g., V01#####.log) and a new log file is created for
storage.
Reserved transaction log files are created when critical operations need to be
saved for the database to get a clean shutdown. The reserved transaction log
files are mainly a safety net for the database in the event it would, for example,
run out of disk space and operations can no longer be written to disk. In order
to still pull off a clean shutdown of the database the most critical operations get
written to these log files in anticipation of critical errors. In most cases these
files do not contain any spectacular information but mainly critical operations
needed for the database to achieve a clean shutdown state.
The checkpoint files are used to store different log file sequences. Data is firs written to the log files and then cached to memory, and it is first at a later point
the data gets flushed from the log files to the actual ESE database. This is mainly
for performance issues but might have a large impact on how the log files
should be handled from a forensic point of view. In the case of the
WebCacheV01.dat, data gets written to the database first when the system i shut down using a clean shutdown method. This means that if the system gets
abruptly halted, crashes or is left running for a longer period of time, the
browser history is largely not found inside the WebCacheV01.dat database file,
but instead it is located in the log files. [16, 17]
Forensic analysis of the ESE database in Internet Explorer 10
- 14 -
4.3 ESE database cache in-depth
As we learned from the previous section (4.2), the ESE database uses many
different operations before writing data to the actual database file on disk.
However there is even more caching handled in memory before it gets written
to the .log files. The process of the RAM caching done by ESE databases is the
following:
When the ESE database receives its first operation it promptly stores is in log buffer. These log buffers are used as a storage container in RAM for the data
prior to the exchange to .log files on the disk. The default size for the log buffers
is the same as a disk sector, i.e., 512 bytes, and the minimum amount of log
buffers are 128 sectors, maximum amount being 10240 sectors (approximately
5.2 MB).
As the log buffers reaches maximum capacity, the data needs to be moved from
RAM to disk and into the log files. This mission is carried out by the log writer.
Each operation gets written to the disk from memory in a syhronous fashion
and is carried out very swiftly since it is of grave importance that data gets
moved from RAM to disk if a system failure were to happen.
In order to turn the operations stored in RAM into actual data on disk the log
writer uses IS buffers. The IS buffers are each 4 KB in size and grouped together
by the ESE inside RAM. The IS buffers are used to yet again cache the data
before it is written to disk. Depending on the OS used, the IS buffs used by
ESE can reach different sizes, for example the Exchange 2000 Server can have
its IS buffers reach a size of 900 MB.
When the IS buffers are done caching the lazy writer have the final task of
writing the data to the log files contained on disk. Since the amount of pages to
be written can be vast, the lazy writer is tasked with prioritizing them and
moving them to disk in such a fashion that the disk I/O system doesn’t get
flooded. When the lazy writer is finished, the data is static on disk and located
in the .log files. [18]
An interesting aspect to take note of here is that many forensic examiners who
are faced with a system running Windows 7 would probably follow "protocol"
and shut down the system by pulling the power cord instead of doing a clean
shutdown as you would with a system running server applications. This could
pose a problem since you would end up with data from the many ESE database in Windows in log files and RAM. However, the risk of losing important data is
very small due to the crash recovery system built into ESE. [19]
Forensic analysis of the ESE database in Internet Explorer 10
- 15 -
4.4 Using esentutl to recover a ESE database
Esentutl.exe is a command-line tool built into Windows that we have used a lot
in the work of this thesis. It provides database utilities for ESE and can, among
other things, be used to view metadata or recover an ESE database to a clean
shutdown mode. Esentutl is located in the following folder:
%systemdrive%\Windows\System32
To check which state the database is in, we use esentutl with the /mh switch.
This outputs the header information from the database in an easy to read
format, as seen in figure 3.
>esentutl /mh WebCacheV01.dat
If the state is dirty (which is usually the case), we want to recover the database
to a clean state by flushing the log files to the database. This is done using the /r
switch, the base of the log file (V01) and the /d option.
>esentutl /r V01 /d
The /is to make sure esentutl uses the log files in the current directory
instead of searching through the log files for the path to the original log files. In
order to successfully flush the log files to the database it may in some cases also
be necessary to remove the checkpoint file. This makes sure every log file goes
into the database, and not only the ones the checkpoint file believes is missing.
To confirm the database is now in a clean state we use the /mh switch again.
Figure 2: Example of the output generated by the /mh switch
Forensic analysis of the ESE database in Internet Explorer 10
- 16 -
4.5 Looking at WebCacheV01.dat through a hex editor
Examining the WebCacheV01.dat database in WinHex is a huge task, as a
seemingly empty database may consist of many thousand pages. There is a vast
amount of timestamps and entries, and in this section we will try to cover the most
basic entries that may be of value for a forensic examiner. Figure 4 on the next page
shows the database header in hex view.
The ESE database store its data in a little-endian byte order. Little-endian stores its
values with the smallest byte first. This is important to keep in mind when reading
values from the hex editor, since the data might be displayed different from how the
database itself reads its data.
In the file header of the database we find that the first 4 bytes are a XOR checksum.
[5]
The following 4 bytes after the checksum is a file signature. The file signature has
offset 4, and the value is EF CD AB 89. This is of significance in a forensic data
mining operation where you might want to search in unallocated space for an ESE
database. Keep in mind though that this signature is common for all ESE databases,
not only the WebCacheV01.dat. There is also a high possibility the database is
fragmented; however, it gives a clear indication that there are fragments of the
database in unallocated space that may contain evidence.
At offset 24 to 51 we find the database signature. At offset 4 inside the database
signature we find an 8 byte sized entry consisting of the creation date and time for
the entire ESE database. At offset 0 to entry we find seconds, the consecutive bytes
that follow are minutes, hours, days, months and year. The 2 last bytes of these are
filler bytes. Byte number 5 represents the year, were 0 represents the year 1900.
Taking our databases timestamp as an example (see figure 3), we have the byte 71 at
offset 5. 71 converted from hexadecimal to decimal is 113, with the base year as
1900 we simply add 113 and come up with the year 2013.
At offset 52 we find the database state. The most common values to see are 2 and 3;
the dirty or clean shutdown states.
At offset 236 we find the page size entry that consists of 4 bytes. The hex in the
entry is 00 80 00 00. Since the ESE database uses little-endian we read this as 00 00
80 00. When 8 000 is converted from hexadecimal to decimal we get 32 768, giving
us a 32 kB page size for the WebCacheV01.dat database. This means the pages start
at offset 0, 32768, 65536, 98304 and so on (i.e., they increase in steps by 32 kB).
Forensic analysis of the ESE database in Internet Explorer 10
- 17 -
Figure 3: Hex view of the database header
Forensic analysis of the ESE database in Internet Explorer 10
- 18 -
Forensic analysis of the ESE database in Internet Explorer 10
- 19 -
5 Experiments
Using the software ESEDatabaseView a basic examination of the database was
performed in experiment 1. The goal was to present both the program
ESEDatabaseView and the structure of the WebCacheV01.dat database with its
containers and source paths.
In order to explore the possibility of acquiring deleted records as well as
possible data stored from a session of InPrivate browsing the second
experiment was performed. We based this experiment upon the work of
Chivers and Hargreaves "Forensic data recovery from the Windows Search
Database" [6] and the work "Forensic examination of Windows Live Messenger
2009 Extensible Storage Engine" [7] by van Dongen et al., but with the ESE
database of Internet Explorer 10 in mind. With guidance from Howard Chivers,
and the use of his software wdsCarve, a series of exploratory attempts were
made.
5.1 Preparing the lab environment
The experiments on the WebCacheV01.dat database have been conducted on a
virtual machine with the following specifications:
 Windows 7 Professional x64, Service Pack 1
 2 GB RAM
 1 CPU, 4 cores
 60 GB HDD
After installing the OS we proceeded with updating the system using the built in
Windows Update. We made sure all available updates, including Internet
Explorer 10, were installed, and then created a snapshot of the completely up to
date system in VMware Workstation. After every experiment we used this
snapshot to revert the machine back to a point where the browser had never
been launched.
Note: When installing IE10 on a Windows 7 system a new registry key is created.
It is located under “Software/Microsoft/Internet Explorer” in the HKCU hive, right
under the key TypedURLs, and is called TypedURLsTime. (In Windows 8 the key is
there from scratch.)
We chose to conduct the experiments on a Windows 7 machine mainly because
it, at this moment (April 2013), is the most used operating system [3, 4].
Forensic analysis of the ESE database in Internet Explorer 10
- 20 -
However, most of the information presented in this thesis should also be true
for the WebCacheV01.dat database in Windows 8.
5.2 Acquiring files from the WebCache directory
Most times on a running system we find that the ESE database in Internet
Explorer 10, WebCacheV01.dat, is locked (i.e., in use by a program or service).
This is because it is dependent on the WinINet.dll.
WinINet (Windows Internet) is an application programming interface (API)
which enables applications to interact with the protocols HTTP and FTP to
access Internet resources. This DLL is loaded by the program taskhost.exe on
system startup. [10]
Taskhost.exe is a generic process in Windows which acts as a host for processes
that runs from DLLs rather than from EXEs. There may be many instances of
taskhost.exe running on a system, as there will be one instance of taskhost.exe
for every DLL-based service that is running.
As the WebCacheV01.dat database is kept online by WinINet, it can’t in an easy
manner be copiout of the WebCache directory. We made some research
online and noticed that the most common way to deal with this is by using the
Volume Shadow Copy Service to copy the file. There are many programs that
can do this in an easy way, but we found this to be very time consuming and
wondered what would happen if we instead just disabled the taskhost.ex service. This seemed to work just fine, and to verify nothing happened to the
database using this method, we calculated MD5 hashes for the database when
recovered using both methods. First we used thprogram ShadowCopy to
acquire the database and when that was done we disabled the taskhost.exe
process and copied the database again. The MD5 values for the files were an
exact match, see figure 2. We therefore adopted this method by creating a batch
file on a USB drive and used it to acquire the database in our experiments (see
Appendix A).
Figure 4: MD5 hashes for the database acquired in two different manners
Forensic analysis of the ESE database in Internet Explorer 10
- 21 -
5.3 Experiment 1: Database overview
The database used for this experiment contains regular browsing, such as
Google searches, news reading and document downloads.
Note: The ESE database is none consistent and the container numbers may
change from system to system (“History” can for example be container 2 and 4).
When opening the database in ESEDatabaseView we find all the containers in a
slide down menu in the upper left corner. When we navigate to the container
named "Containers" we get an overview of the entirety of the database as seen
in figure 5 and 6 below.
Figure 5: Left side of the table named “Containers”, providing information such as
container IDs and name of the data stored in the specific containers
Forensic analysis of the ESE database in Internet Explorer 10
- 22 -
Figure 6: Right side of the table named “Containers”, providing the full paths to the data
stored in the containers
The first container in our database is named "feedplat". This container is the
home of RSS feeds stored within the browser and its full source destination is:
%systemdrive%\Users\%user%\AppData\Local\Microsoft\Feeds
Cache\
The second container is named "ietld". This is a collection of top level domains,
full path to its source is:
%systemdrive%\Users\%user%\AppData\Roaming\Microsoft\Windows\
IETldCache\
The third and sixth container is of much importance since these contain th
visited URL's together with timestamps. The containers named MSHist01* ar also of importance and linked with containers 3 and 6. More about these
further down.
The forth container is named "IECompatCache" and is a pre-compiled list of
sites from Microsoft with webpage's best view in the Compatibility View Mode
and its source can be found here:
%systemdrive%\Users\%user%\AppData\Roaming\Microsoft\Windows\
IECompatCache\
Regarding the fifth container named "iecompatuaCache", there is very little
information about what exactly it is and we have yet to find exactly what it
s. We believe however it is closely related to the "IECompatCache"
container. Its location can be found here:
Forensic analysis of the ESE database in Internet Explorer 10
- 23 -
%systemdrive%\Users\%user%\AppData\Roaming\Microsoft\Windows\
iecompatuaCache\
Containers 7 and 9 are named "Content" and these are a collaboration of the
"low" and regular temporary internet files. Source paths:
%systemdrive%\Users\%user%\AppData\Local\Microsoft\Windows\Te
mporary Internet Files\Low\Content.IE5\
%systemdrive%\Users\%user%\AppData\Local\Microsoft\Windows\Te
mporary Internet Files\Content.IE5\
Containers 8 and 11 are named "Cookies" and also contain the browsers "low"
and regular saved cookies, their source path is:
%systemdrive%\Users\%user%\AppData\Roaming\Microsoft\Windows\
Cookies\Low\
%systemdrive%\Users\%user%\AppData\Roaming\Microsoft\Windows\
Cookies\
Container 12 is named "DOMStore" and is the location of Web Store "cookies".
The DOM stands for Document Object Model. The storagcan be compared to
regular HTTP cookies because it allows for sites to save specific data to th system, just in a larger amount and allows some new options [20]. Its source
path is:
%systemdrive%\Users\%user%\AppData\LocalLow\Microsoft\Interne
t Explorer\DOMStore\
Container 13 is named "iedownload" and contains (if any) downloaded files
information and history, its path is:
%systemdrive%\Users\%user%\AppData\Roaming\Microsoft\Windows\
IEDownloadHistory\
Container 10 is of importance since we believe that these are made up of visited
URL's per day. Its name is derived from MSHist01YYYYMMDDYYYYMMDD.
Based on observations we believe that if you surf the web on for example Mars
19, 2013, and Mars 20, 2013, a container would be created in the databas named MSHist012013031920130320. The very same URL's found in these are
also stored in containers 3 and 6.
The source location for the MSHist01* files is:
%systemdrive%\Users\%user%\AppData\Local\Microsoft\Windows\Hi
story\History.IE5\
Forensic analysis of the ESE database in Internet Explorer 10
- 24 -
The History.IE5 folder is a hidden directory in Windows and can (depending on
rights and system) be hard to access. If that is the case you could try
accessing it using the attributes seen in figure 7 below.
Figure 7: CMD input
When you have access to the folder you will find the MSHist01* files. When w accs these files, we find what seems to be the old index.dat file. Mor investigation is needed to say if this index.dat file is the same or similar to old index.dat files used in IE1 through IE9. Figure 8 and 9 below shows the
folder access using CMD.
Figure 8: Files contained within the folder History.IE5 shown with command “dir” in CMD
Figure 9: Using prefix /a with command “dir” we see the index.dat inside the MSHIST01
folder
Containers 3 and 6 are named ”History”, and contain the visited URL's. Insid the containers we also find timestamps for each of the visited URL's. The source
for the History URL’s is the same as for the MSHist01* containers and shares its
data.
5.4 Experiment 2: Recovery of deleted database records
As seen in the previous section (5.3), the WebCacheV01.dat database gathers its
information from various locations on the system. When a user clears the
browsing history from within the browser, as in figure 10, the records are also
Forensic analysis of the ESE database in Internet Explorer 10
- 25 -
deleted from the database. This experiment was conducted to answer our last
research question; is it possible to recover deleted records from the database?
Figure 10: Options to delete browsing history in Internet Explorer 10
Filling up the database
To have full control over the browsing history in this experiment we decided to
fill up a new database instead of using the one from the previous experiment.
As was done in expiment 1, the database was filled up by some quite
extensive surfing. After the browsing was done the system was rebooted in
order to make sure the log files were flushed to the database.
With the previous browsing session "in the bag", tbrowser was re-opened
and started in InPrivate mode. A couple of key searches were done in this mode
using Google so that we should be able to easily extinguish InPrivate searches
from our regular browsing session.
Forensic analysis of the ESE database in Internet Explorer 10
- 26 -
The system was then rebooted yet again and as it camack up, we acquired
the database with our batch file. After another reboot the browsing history wa deleted using the options inside the browser (see figure 10 on the previous
page). A final site was visited (www.aftonbladet.se) after the history had been
deleted.
The system was yet again rebooted and the database was acquired with the use
of the batch script.
Verifying data stored in the two acquired databases
We recovered both the acquired databases to a clean shutdown state using
esentutl (as demonstrated in section 4.4), and opened them in Nirsoft’s
ESEDatabaseView for analysis.
When looking through the first acquired database we could, as expected, find
all visited URLs and the downloaded files, but none of the URLs visited in the
InPrivate session. (When InPrivate mode was engaged we searched for "how to
kill superman with kryptonite" and "power rangers" using Google, and visited
the top search results.)
In the other database we could only find records connected to the site we
visited after deleting the browsing history and thus the previous records that
can be seen in figure 11 was deleted.
Forensic analysis of the ESE database in Internet Explorer 10
- 27 -
Figure 11: Browsing history present in the last acquired database
Carving with wdsCarve
Figure 12 shows the progress of the carving program.
Figure 12: Initiate the database carving
The output file, CarvedData.csv, can be viewed using Excel. Each carved record
takes up one row, as seen in figure 13.
Forensic analysis of the ESE database in Internet Explorer 10
- 28 -
Figure 13: Overview of the output data from wdsCarve performed on the last acquired
database.
As seen in figure 13 there is more data than just the URL from the single site
that was visited shortly after the browsing history was deleted. When
examined, every single record that was deleted through the use of Internet
Explorers own interface was recovered using this carving technique.
The output data in the file CarvedData.csv is quite large in this experiment, so
in order to find if there are any traces of our InPrivate session we simply us CTRL+F to search through the document. As previously mentioned, we googled
the string “how to kill superman with kryptonite” in our InPrivate browsing
session.
The search for "superman" yields the following result:
794,2,0,3081990198304673138,3,1301,131393,2,1,2013-05-10 07:49:4 2013-05-10 06:49:40,0,2013-05-10
07:49:40,0,0,0,http://www.google.se/url?sa=t&rct=j&q=how to kill superman
with%20kryptonite&source=web&cd=1&sqi=2&ved=0CCoQFjAA&url=http%3A%2F%2Fwww.
killermovies.com%2Fforums%2Farchive%2Findex.php%2Ft-410593-how-exactly-does-
kryptonite-kill-
superman.html&ei=i6aMUazqEMjBtAawl4DIAg&usg=AFQjCNF5iwfq5FnIb6xO4dwzQnT1GWSg
Cw&bvm=bv.46340616,d.Yms,url[1].htm,-,-,-,-,-,-,7192577
The string above is one of several cords connected with the InPrivate search.
A larger output can be seen in figure 14 below. The first portion is a timestamp
followed by a URL. The time provided is in UTC.
Forensic analysis of the ESE database in Internet Explorer 10
- 29 -
Figure 14: Carving shows database records of InPrivate browsing
More research is needed to tell if there are some pronounced difference
between regular browsing history and InPrivate history when carved. This
could be of importance since in this experiment, the search terms used ile
InPrivate was active were known. This is not always the case wh investigating and could prove valuable in order to easily distinguish between
regular and InPrivate browsing.
Forensic analysis of the ESE database in Internet Explorer 10
- 30 -
Forensic analysis of the ESE database in Internet Explorer 10
- 31 -
6 Results & Discussion
In chapter 4 we presented the WebCache directory and what it contains. W
explained WinINet and its connection to ESE and we also took a look at the
WebCacheV01.dat using a hexeditor tget a better understanding of how it
worked. After that we performed two experiments to answer our research
questions regarding what data is stored in the database and if it is possible to
recover any data that has been deleted from the database.
6.1 Experiment 1
Starting out we had a thought of providing the database with small insertions
so that it wouldn't grow too large and become a hassle to analyze. When doing
sequentially larger data insertions we instead found that the database wouldn't
grow the way we anticipated in the first place. At first we thought it would
create additional containers as it grew, but instead it seems to use the
s MSHIST01 to store data and simply move history data to its specific
container as it filled up, not making additional "History" containers.
Instead we made the bulk of our analysis using our "largest" database.
Noteworthy is that we cannot say for sure that there won't be additional
containers like "History" if the database reaches a very large size since this
hasn’t been tested.
Wfound that this initial experiment would pose as a good introduction to how
the database is constructed and also serve as a basic understanding as w moved on to experiment 2. Table 2 shows different data types stored in the
database.
Name of the data stored in the container: Content:
feedplat RSS feeds
ietld Top Level Domains
iecompat Compatibility View Mode
iecompatua Unknown
History URL History
Content Temporary Internet Files
Cookies Cookies
Forensic analysis of the ESE database in Internet Explorer 10
- 32 -
Table 2: Overview of containers in WebCacheV01.dat
6.2 Experiment 2
Carving data with wdsCarve was a huge success and made for a good
connection to previous chapters.
The fact that it is possible to carve deleted records from the Extensible Storage
Engine stems in its own construction, where records that are deleted are in fact
just flagged as writable space. As stated by Chivers and Hargreaves [6] th space occupied by deleted records inot re-used until that part of the databas is being re-organized. This happens within the ESE database to maintain the
balanced structure of the B-tree (see chapter 2.1.2)
A comparison can be made to various file systems, for example NTFS, where
deleted files are removed from the "file index" and flagged as free space.
However the files can still be recovered using a carver if they have not yet been
overwritten.
The InPrivate browsing mode doesn't changthe ESE database behave and data is still stored as usual, the difference however being that the record of browsing history are deleted when the InPrivate window is closed. As
previously discussed this does not prevent the use of carving to recover
InPrivate browsing history.
MSHist01YYYYMMDDYYYYMMDD Time span of URL History
DOMStore Web Store
iedownload Downloaded files
Forensic analysis of the ESE database in Internet Explorer 10
- 33 -
Forensic analysis of the ESE database in Internet Explorer 10
- 34 -
7 Conclusion
Web history analysis is an important part of a digital forensic investigation. In
Internet Explorer 10 there is a new interesting ESE database called
WebCacheV01.dat. When acquiring the database it is important to also collect
all log files in the WebCache directory. This is to make sure the database gets as
up to date as possible when flushing the log files to the database using the
recovery option in esentutl. We found that the most convenient way to do this
was to kill the taskhost.exe process and then copy out all the files, preferably
using a batch file.
The experiments conducted for this thesis has shown that it is possible to
recover information that has previously been deleted from the database, along
with the cached files themselves. This is also possible when the browsing has
been done using the InPrivate browsing mode. The tool used for carving
deleted records from the database is Howard Chivers’ wdsCarve, which is
available from the author for forensic examiners and researchers.
The information in this thesis should provide a good resource for anyone
looking to create a tool to recover information from the WebCacheV01.dat
database. Most of what is said about the WebCacheV01.dat database in
Windows 7 should also be true for the same database in Windows 8.
7.1 Future Work
More research is needed since some new questions have risen as the
experiments and work have progressed. How does the database behave if it
contains a vast amount of data - let's say two years of recorded brows history? Will there be additional "History" containers or will it just keep adding
MSHist01* containers along the way? Due to time constraints we have not been
able to look into this as of yet.
Another useful thing to look further into would be the carved InPrivate records.
As of now, we have yet to find any indicator that immediately tells that th record originates from an InPrivate browsing session. It would prove valuable
for forensic examinations to be able to distinguish between normal browsing
sessions and InPrivate sessions when looking at carved data.
Forensic analysis of the ESE database in Internet Explorer 10
- 35 -
Forensic analysis of the ESE database in Internet Explorer 10
- 36 -
References
[1] Kruse W., Hesier J., ”Computer Forensics: Incident Response Essentials”,
2001, p. 2
[2] Magnet Forensics, “Internet Evidence Finder”, (accessed April 2013),
http://www.magnetforensics.com/products/internet-evidence-finder/
[3] W3Schools, “OS Platform Statistics”, (accessed April 2013),
http://www.w3schools.com/browsers/browsers_os.asp
[4] NetMarketShare, “Desktop Operating System Market Share“, (accessed April
2013), http://www.netmarketshare.com/
[5] Metz J., ”Extensible Storage Engine (ESE) Database File (EDB) format
specification, v0.0.19”, 2012 (accessed April 2013),
https://libesedb.googlecode.com/files/Extensible Storage Engine
%28ESE%29%20Database%20File%20%28EDB%29%20format.pdf
[6] Chivers H., Hargreaves C., “Forensic data recovery from the Windows Search
Database”, 2011,
http://www.sciencedirect.com/science/article/pii/S1742287611000028
[7] van Dongen W., Toorop W., Blokhuis J., ”Forensic examination of Windows
Live Messenger 2009 Extensible Storage Engine”, 2009,
https://www.os3.nl/_media/2008-
2009/students/willem_toorop/wlm2009_ese_fin.pdf
[8] Microsoft MSDN, ”Extensible Storage Engine”, (accessed April 2013),
http://msdn.microsoft.com/en-us/library/5c485eff-4329-4dc1-aa45-
fb66e6554792.aspx
[9] CodeProject – Bakiev A., “Extensible Storage Engine”, 2011 (accessed April
2013), http://www.codeproject.com/Articles/52715/Extensible-Storage-
Engine
[10] Microsoft MSDN, “About WinINet”, (accessed April 2013),
http://msdn.microsoft.com/en-
us/library/windows/desktop/aa383630(v=vs.85).aspx
[11] VMware, “VMware Workstation”, (accessed April 2013),
http://www.vmware.com/se/products/desktop_virtualization/workstation/o
verview.html
[12] Runtime Software, “ShadowCopy”, (accessed April 2013),
http://www.runtime.org/shadow-copy.htm
Forensic analysis of the ESE database in Internet Explorer 10
- 37 -
[13] NirSoft, “ESEDatabaseView”, (accessed April 2013),
http://www.nirsoft.net/utils/ese_database_view.html
[14] X-Ways, “WinHex”, (accessed April 2013), http://www.x-
ways.net/winhex/
[15] Chivers H., “wdsCarve”, (accessed April 2013). Available to forensic
investigators and researchers from the author.
[16] Microsoft MSDN, “Extensible Storage Engine Files”, (accessed April 2013),
http://msdn.microsoft.com/en-
us/library/windows/desktop/gg294069(v=exchg.10).aspx
[17] Baher M, “Who said that transaction goes from Logs to DB!!!!!”, 2008
(accessed April 2013),
http://blogs.technet.com/b/mbaher/archive/2008/01/22/who-said-that-
transaction-goes-from-logs-to-db.aspx
[18] Microsoft TechNet, “Default ESE log buffers have been changed”, (accessed
April 2013), http://technet.microsoft.com/en-
us/library/aa998538(v=exchg.80).aspx
[19] Bunting S., “EnCE The official EnCase Certified Examiner (Second edition)”,
2008, p. 95
[20] Microsoft MSDN, “Introduction to Web Storage”, (accessed April 2013),
http://msdn.microsoft.com/en-us/library/cc197062(v=vs.85).aspx
[21] Mississippi State University, “Empirical Research – Tutorial”, (accessed
July 2013), http://library.msstate.edu/li/tutorial/empirical
Forensic analysis of the ESE database in Internet Explorer 10
- 38 -
Forensic analysis of the ESE database in Internet Explorer 10
- 39 -
Appendix A
Wcreated this batch file and put it on a USB drive to speed up the acquiring of
the WebCache directory for our experiments. It kills the taskhost.exe processes
and copies all files in the WebCache directory to the USB drive.
@echo off
:: Forcibly kills the process taskhost.exe and all child processes
taskkill /f /im "taskhost.exe" /t
:: Tells xcopy to copy _all_ files and subdirectories and create
:: the folders on the flash drive if they don't exist.
setcopywc=xcopy /s /c /e /h /i /r /y
:: Copy the WebCache directory to the flash drive.
%copywc% "%userprofile%\AppData\Local\Microsoft\Windows\WebCache"
"%drive%\IE10\%computername% - %username%\WebCache"
:: Create a logfile with date and time.
echo Timestamp: %date% %time% >> "%drive%\IE10\%computername% -
%username%\logfile.txt"
cls
HALMSTAD UNIVERSITY • PO Box 823 • SE-301 18 Halmstad, Sweden • www.hh.se
Authors
Bonnie Malmström
Contact: [email protected]
Philip Teveldal
Contact: [email protected]
Code:
http://www.wilderssecurity.com/threads/delete-webcachev01-dat-webcachev01-dat-viewer-deleter.352630/
Delete this WebCacheV01.dat is possible but it recreates itself.
Changing the permissions on the WebCache folder, which is a hidden folder in AppData\Local\Microsoft\Windows, can be done but you will have strange behavior of your OS.

There is information that it is used by IE10 and above, but I don't use IE at all.
There is a tool so you can see what is stored;
Code:
http://www.nirsoft.net/utils/ese_database_view.html
My question is why is there so little information on this file, even on technet.

If someone has more information about this file, please post replies.

Why do I post it in this thread?
Because I think there is more stored at this database, the size its gonna get is uncontrolable!

I am concerned about my privacy.
Click to expand...
that file is part of a newer version of the old jet database we used do get rid of in windows xp. as far as the change. from what i read it is used by a lot more nowadays and the file size maximum is 2 TiB. there's a wikipage that goes into a lot of detail.

Yen · Oct 8, 2014

KnowledgeableNewbie said: ↑

sorry if this post offends you, it's not meant to in any way. just that when anyone posts a recommendation i have a bad habit of doing some research even if it's not something i'd use ( no smartphome ). came across this from 2013 ( hxxps://www.os3.nl/_media/2013-2014/courses/ssn/projects/threema_report.pdf ). it basically gives a thumbs up, but as far as NSA safe section 3.2 may suggest otherwise. one of the tricks or illegalities that the NSA uses is that one they read whatever, they can ( according to what i've read ) start monitoring each user mentioned in your communications, so if a talks to b, b is monitored, and if b talks to c, c is monitored, and so on. if c is suspected of wrongdoing then a is guilty by association according to the NSA ( yeah i know stupid, but true ). just a little food for thought. have to research a little more and see what i come up with.
Click to expand...

No your post does not offend me, the contrary I like people posting their opinion.
The pdf is interesting it confirms what I knew about...

You are talking about collecting meta data. The encryption cannot be broken (so far) not even by the NSA. So they cannot read any content.
What they can is to create meta data profiles (if at all) of Threema IDs which are totally anonymous until otherwise shared. There is no reference to a personal address except one gets hands on the device physically and pass is located in RAM.

That what you name user a,b,c etc. are anonymous threema IDs which can be profiled by collecting meta data.

I am not speaking of absolute terms, but people using messengers such as whatsapp would do it much better when using threema instead..and of course some common sense is needed when using threema (using strong pass, prevent physical access for anybody, or if one ('officials') should get ones hands on the device then reboot to remove decrypted pass in RAM)
I do not recommend frequently, but I post about things that convinced myself.

The problem is many people do not want to move from whatsapp, because their friends are still on whatsapp and don’t also move.

It is pure laziness or unawareness, or they simply don’t care.
Each person needs to decide on their own, though.
I deleted whatsapp as soon as Suckerberg acquired it for 15 billion. 15 billion for an app, that is insane.

Think about what could be done with that amount (humanitarian aid) or the like....

KnowledgeableNewbie · Oct 8, 2014

here's another interesting one: hxxp://sseblog.ec-spride.de/2014/05/easily-extracting-encrypted-messages-from-threema-textsecure-and-co/. the last part is the most relevant.

Yen · Oct 9, 2014

To read out the notification / status bar is a good point. Anyway I think the problem is a general problem. It's actually no problem it is common and can become a problem if one is not careful.

To read the messages on the screen they need to be decrypted sooner or later. A part then is located in clear text in physical memory (RAM or video RAM). Regardless of one needs special rights to read out RAM or not (to read out the bar), there is a potential vulnerability.
The threema app itself decrypts only a small part of the messages, never the entire chat.

This is common sense. So the user needs to cultivate own behavior to minimize risks.

Threema is to blame for that the preview in the notification bar is enabled per default, but for nothing else. The user should switch off the preview since nobody really needs it.
The Android service itself can stay enabled, threema does not show any letter then...

The issue isn’t that one can read out the notification bar without to have special rights, the issue is that the message sooner or later is found in clear text in memory AND people installing (free) apps without to read what rights they demand.
A service/ app could read parts of threema messages directly from RAM….
Best is to keep the times where messages are decrypted in RAM as short as possible.

But we’re talking here already about malware then and an infected device.

Dopamine · Nov 6, 2014

Tor project is one of the best solutions for me. I also use VPN and proxies. When I want to hide my online identity I use VPN by HideMyAss or go for proxies with Citrio browser. It is up to you, what service or applications to use for VPN and proxies though. Anyway those 3 pillars make up my privacy protection tool set.

nodnar · Nov 20, 2014

http://www.amnesty.org/en/news/dete...surveillance-questions-and-answers-2014-11-20
is new today...
ran it.
apart from putting one of my cores at 100% and managing to start my desktop`s fan [ it rarely runs..] there was zero indication
of what it actually does, just said it found nothing, after ~10 mins. [ i5 iveybridge, w7 ]
still. i like the iniative. it is a new approach, which is better than messing with tor, firefox, and other obsolete rubbish..
so thought i would share it here. for what it is worth.

gorski · Nov 21, 2014

Thanx!

Very cool! I used to volunteer for Amnesty, btw... Good stuff!

gorski · Jan 20, 2015

I don't know if anyone posted this so on the off chance you don't know about it, here it is:

This is the good bit from the article, btw...

[h=2]Inside the NSA's War on Internet Security[/h]

http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html

Things first become troublesome at the fourth level. The presentation states that the NSA encounters "major" problems in its attempts to decrypt messages sent through heavily encrypted email service providers like Zoho or in monitoring users of the Tor network*, which was developed for surfing the web anonymously. Tor, otherwise known as The Onion Router, is free and open source software that allows users to surf the web through a network of more than 6,000 linked volunteer computers. The software automatically encrypts data in a way that ensures that no single computer in the network has all of a user's information. For surveillance experts, it becomes very difficult to trace the whereabouts of a person who visits a particular website or to attack a specific person while they are using Tor to surf the Web.

The NSA also has "major" problems with Truecrypt, a program for encrypting files on computers. Truecrypt's developers stopped their work on the program last May, prompting speculation about pressures from government agencies. A protocol called Off-the-Record (OTR) for encrypting instant messaging in an end-to-end encryption process also seems to cause the NSA major problems. Both are programs whose source code can be viewed, modified, shared and used by anyone. Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed. Transcripts of intercepted chats using OTR encryption handed over to the intelligence agency by a partner in Prism -- an NSA program that accesses data from at least nine American internet companies such as Google, Facebook and Apple -- show that the NSA's efforts appear to have been thwarted in these cases: "No decrypt available for this OTR message." This shows that OTR at least sometimes makes communications impossible to read for the NSA.

Things become "catastrophic" for the NSA at level five - when, for example, a subject uses a combination of Tor, another anonymization service, the instant messaging system CSpace and a system for Internet telephony (voice over IP) called ZRTP. This type of combination results in a "near-total loss/lack of insight to target communications, presence," the NSA document states.
ZRTP, which is used to securely encrypt conversations and text chats on mobile phones, is used in free and open source programs like RedPhone and Signal. "It's satisfying to know that the NSA considers encrypted communication from our apps to be truly opaque," says RedPhone developer Moxie Marlinspike.

Too Robust for Fort Meade

Also, the "Z" in ZRTP stands for one of its developers, Phil Zimmermann, the same man who created Pretty Good Privacy, which is still the most common encryption program for emails and documents in use today. PGP is more than 20 years old, but apparently it remains too robust for the NSA spies to crack. "No decrypt available for this PGP encrypted message," a further document viewed by SPIEGEL states of emails the NSA obtained from Yahoo.

Phil Zimmermann wrote PGP in 1991. The American nuclear weapons freeze activist wanted to create an encryption program that would enable him to securely exchange information with other like-minded individuals. His system quickly became very popular among dissidents around the world. Given its use outside the United States, the US government launched an investigation into Zimmermann during the 1990s for allegedly violating the Arms Export Control Act. Prosecutors argued that making encryption software of such complexity available abroad was illegal. Zimmermann responded by publishing the source code as a book, an act that was constitutionally protected as free speech.

PGP continues to be developed and various versions are available today. The most widely used is GNU Privacy Guard (GnuPG), a program developed by German programmer Werner Koch. One document shows that the Five Eyes intelligence services sometimes use PGP themselves. The fact is that hackers obsessed with privacy and the US authorities have a lot more in common than one might initially believe. The Tor Project*, was originally developed with the support of the US Naval Research Laboratory.
Click to expand...

For the nitty-gritty, not so rosy stuff for us, invest some time in reading this enlightening article fully! WARMLY RECOMMENDED!!!

VPN secure only virtually, e-commerce, online banking etc. protocols are cr@p and so on and so forth...

AYAYAYAYAAAAAAAAAAAAAAAAAYYYYYYYYYYYYY!!!!!!!!!

Yen · Jan 20, 2015

VPN is no encryption! It is a way to connect 2 different networks through a tunnel. VPN generally says nothing about security at all, people should know....

It depends on 'what' comes through it.

Something I had posted already: http://forums.mydigitallife.net/thr...opinions/page9?p=821273&viewfull=1#post821273

An additional end-to-end asymmetric encryption makes the VPN NSA secure.
Additional drive encryption on the fly in case of seizure of the devices....

Vulnerable by infection are always the end devices due to their 'different use', though. Nobody should forget that.

There're different ways of to spy. To spy on a particular person, a particular device (routers, nodes), a particular service....and finally general data collection / collection of meta data.
It strongly depends on that all what actually can be made readable and what not.

BTW: A very informative article, it confirms what I knew so far...

gorski · Jan 20, 2015

Not quite, Yen, as most VPNs I saw state something in line with this:

http://sharewareonsale.com/s/steganos-okayfreedom-vpn-giveaway-coupon-sale

OkayFreedom VPN Premium provides you unlimited, encrypted VPN access to servers in elevent countries around the world: Germany, USA, Switzerland, Great Britain, France, Japan, Singapore, Egypt, Romania, Spain, and Turkey.
Aside from protecting your privacy by not saving or logging IP addresses, websites, content, etc. while you use it, OkayFreedom VPN detects geographically blocked content (e.g. videos) and automatically unblocks the content by using the necessary VPN server.

Click to expand...

or

A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. The VPN uses "virtual" connections routed through the Internet from the business's private network to the remote site or employee. By using a VPN, businesses ensure security -- anyone intercepting the encrypted data can't read it.
Click to expand...

MysTikAL3 · Feb 2, 2015

Huge Security Flaw Leaks VPN Users’ Real IP-Addresses

1-30-15 News

VPN users are facing a massive security flaw as websites can easily see their home IP-addresses through WebRTC.
The vulnerability is limited to supporting browsers such as Firefox and Chrome, and appears to affect Windows users only.
Luckily the security hole is relatively easy to fix.

....continued....
A demo published on GitHub by developer Daniel Roesler allows people to check if they are affected by the security flaw.

....continued....

EFA11 · Feb 2, 2015

yup, that is a big one. Although it is an easy fix, it still shows why there should be a VPN with its own built in browser/tools to work as one with its own security set.

Too many cooks in the kitchen trying to protect your privacy cannot always be good. That is like putting a chicken in the oven, and it comes out hagus.

R29k · Feb 2, 2015

Been using the Chrome fix a while now
https://chrome.google.com/webstore/...dm?utm_source=chrome-app-launcher-info-dialog

ktgrrl · Jul 20, 2015

Greetings! I've read this thread (and many others) from start to finish, and I'm a bit confused by this thread about privacy.

Maybe it's something in my browser settings (Firefox, with StartPage as my only search engine) but every time I've done a search WITHIN MDL it always displays search results through Google. I know StartPage uses Google (supposedly anonymously) when I do an ordinary web search in my browser, but given the content of many threads here, why would MDL trust Google to do searches within its forum??? Isn't that a big privacy risk to the forums as well as to members?

I've done many searches within MDL since I joined, and they've always shown up in Google, but I never use Google directly in my browser since they do too much data collection for me. Searching recently within MDL I've had a few bot-queries from Google and from my ISP on account of some of those searches, including one today that brought me to this very thread about -- wait for it -- Privacy!!! Can MDL do something to make its in-site searches more private, or is it something I need to do in Firefox?

Although a lot of the info in MDL is far beyond my comprehension, it seems too valuable to put it in jeopardy if Google really is the search-master. Please, somebody tell me if I'm wrong, and/or what I should do on my end to make MDL searches more secure. Thanks!

Michaela Joy · Jul 20, 2015

Hiya ktgrrl,
If you're worried about search privacy, try https://duckduckgo.com/

Oh, and Welcome to MDL.

:MJ

ktgrrl · Jul 20, 2015

Hi Michaela Joy, Thanks for the welcome, the suggestion, and the amazingly quick reply! I've just changed my search default back to DuckDuckGo. (It used to be my default until I discovered StartPage.) Then I came back and did another search inside MDL, and it still shows me results through Google. Google isn't in my list of allowed search engines. Is this something in MDL or am I doing something wrong? I appreciate any advice. Thanks!

Michaela Joy · Jul 20, 2015

For the answer to that question, you might PM Yen. He is an Admin here and He's very nice.
I'm sure that He will give you an answer that makes sense.

:MJ

ktgrrl · Jul 20, 2015

Will do. Thanks so much!

Tools which protect our privacy. Post your tools / ways you are using and opinions.

KnowledgeableNewbie MDL Member

KnowledgeableNewbie MDL Member

KnowledgeableNewbie MDL Member

Yen Admin
Staff Member

KnowledgeableNewbie MDL Member

Yen Admin
Staff Member

Dopamine MDL Novice

nodnar MDL Expert

gorski MDL Guru

gorski MDL Guru

Yen Admin
Staff Member

gorski MDL Guru

MysTikAL3 MDL Senior Member

EFA11 Avatar Guru

R29k MDL GLaDOS

ktgrrl MDL Novice

Michaela Joy MDL Crazy Lady

ktgrrl MDL Novice

Michaela Joy MDL Crazy Lady

ktgrrl MDL Novice

Tools which protect our privacy. Post your tools / ways you are using and opinions.

KnowledgeableNewbie MDL Member

KnowledgeableNewbie MDL Member

KnowledgeableNewbie MDL Member

Yen Admin Staff Member

KnowledgeableNewbie MDL Member

Yen Admin Staff Member

Dopamine MDL Novice

nodnar MDL Expert

gorski MDL Guru

gorski MDL Guru

Yen Admin Staff Member

gorski MDL Guru

MysTikAL3 MDL Senior Member

EFA11 Avatar Guru

R29k MDL GLaDOS

ktgrrl MDL Novice

Michaela Joy MDL Crazy Lady

ktgrrl MDL Novice

Michaela Joy MDL Crazy Lady

ktgrrl MDL Novice

Yen Admin
Staff Member

Yen Admin
Staff Member

Yen Admin
Staff Member