IE 7,8,9 Browsing History
Overview
Section titled “Overview”Evidence: IE 7,8,9 Browsing History
Description: Collect visited URLs from Internet Explorer
Category: Applications
Platform: windows
Short Name: ihst
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”Internet Explorer 7, 8, and 9 store browsing history in index.dat files using the MSIECF (Microsoft Internet Explorer Cache File) format. These files contain URLs visited, access timestamps, and visit counts.
Index.dat files are located in various user profile directories depending on Windows version (XP vs Vista+).
Data Collected
Section titled “Data Collected”This collector gathers structured data about ie 7,8,9 browsing history.
IE 7,8,9 Browsing History Data
Section titled “IE 7,8,9 Browsing History Data”| Field | Description | Example |
|---|---|---|
BrowserAccessTime | When URL was accessed | 2023-10-15T14:30:00 |
BrowserAccessCount | Number of times visited | 5 |
BrowserURL | URL visited | https://www.example.com |
Browser | Browser identifier | IE 7-8-9 |
Collection Method
Section titled “Collection Method”This collector:
- Searches for index.dat files in multiple locations:
- Legacy XP paths in
Documents and Settings - Vista+ paths in
Users\*\AppData\Local\Microsoft\Windows
- Legacy XP paths in
- Collects index.dat files
- Parses using libmsiecf library
- Extracts URLs, timestamps, and visit counts
Forensic Value
Section titled “Forensic Value”IE browsing history reveals web activity and can indicate phishing, malware downloads, or unauthorized access. Investigators use this data to reconstruct web browsing activity, identify malicious websites visited, detect phishing attacks, correlate with downloads and malware infections, and establish user intent through browsing patterns.