IE 10,11,Edge Browsing History

Overview

Evidence: IE 10,11,Edge Browsing History
Description: Collect visited URLs from Internet Explorer and Edge
Category: Applications
Platform: windows
Short Name: ehst
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes

Background

Internet Explorer 10-11 and Edge Legacy store browsing history in ESE database files (WebCacheV*.dat). Edge Chromium uses SQLite databases like Chrome.

These databases contain comprehensive browsing history including URLs, visit timestamps, and access counts.

Data Collected

This collector gathers structured data about ie 10,11,edge browsing history.

IE 10,11,Edge Browsing History Data

Field	Description	Example
`AccessTime`	Access Time	2023-10-15 14:30:25+03:00
`AccessCount`	Access Count	123
`URL`	URL	Example value
`Browser`	Browser	Example value
`Title`	Title	Example value
`VisitDuration`	Visit Duration	Example value
`Referrer`	Referrer	Example value
`TypedCount`	Typed Count	123
`IsHidden`	Is Hidden	true
`TransitionType`	Transition Type	Example value
`VisitID`	Visit ID	123
`TransitionQualifiers`	Transition Qualifiers	Example value
`User`	User	Example value
`Profile`	Profile	Example value
`HistoryFilePath`	History File Path	Example value

Collection Method

This collector processes two database formats:

IE 10-11 & Edge Legacy (ESE):

Location: Users\*\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
Parses using libesedb library
Extracts URLs from ESE database tables

Edge Chromium (SQLite):

Location: Users\*\AppData\Local\Microsoft\Edge\User Data\*\History
Queries SQLite database
SQL: SELECT urls.url, urls.visit_count, datetime(...) FROM urls, visits WHERE urls.id = visits.url

Forensic Value

Browser history is essential for investigating web-based attacks and user activity. Investigators use this data to reconstruct web browsing timelines, identify malicious domains visited, detect phishing site visits, correlate with malware downloads, track data exfiltration websites, and establish user intent and awareness.