I’m currently working on a solution to collect files off a live system to be used during some IR processes. I won’t go into any great detail but I’m limited to only using built-in Windows utilities. I need access to browser history data and while Chrome and Firefox allow copying of the history files, the WebCacheV01.dat file that IE and Edge history are stored in is a locked file and cannot be copied using native copy commands/cmdlets like Xcopy, Copy-Item, RoboCopy, etc.
ESE Database Files and ESENTUTL.EXE
The WebCacheV01.dat file is an ESE (Extensible Storage Engine) database file and there is a built-in tool for performing maintenance operations on such files: esentutl.exe. I started wondering if I could use this tool to export the database or at least dump the history. Running esentutl.exe from a command prompt, we see two interesting options: /m to dump a file and /y to copy a file.
Copying the file sounds great to me. Let’s try
“esentutl.exe /y WebCacheV01.dat /d C:\Path\To\Save\WebCacheV01.dat”
Strike 1. That gives us the same “file is being used” error that I received with other copy commands. Ok so taking another look at the copy options, I see the /vss and /vssrec options. A couple of important distinctions here:
- I am running Windows 10, build 1803. The /vss and /vssrec options are only available on Win 10 and Server 2016 or later.
- The /vss and /vssrec options require you to be running as an admin
The /vss option “copies a snapshot of the file, does not replay the logs”. We’ll talk a little more about the transaction logs later but let’s go with the /vss option for now.
OK, that’s much better. If I open up the WebCacheV01.dat file in ESEDatabaseView or BrowsingHistoryView, I see browsing history leading up to my testing. Initially, I thought it was grabbing a copy of the file from a previous Volume Shadow Copy (VSC) but that isn’t the case. Esentutl.exe is able to use the Volume Shadow Copy service to make a backup of a locked file. This can be done even if VSCs are disabled on the system.
What about the /vssrec option? Data is not written directly to the database file. In simple terms, data is instead written to RAM and then to transaction logs before being flushed into the database file. Microsoft’s documentation says: “The data can be written to the database file later; possibly immediately, potentially much later.”
I did some testing with this and I’m not sure under what scenarios this doesn’t happen right away. I opened up Edge and navigated to a new page, then immediately copied the WebCacheV01.dat file while Edge was still open and it contained this new entry.
Just keep in mind that when using the /vss option only, we have the potential to miss entries that have not been written to the database. Using the /vssrec option will replay these transaction logs. This is the syntax used:
esentutl.exe /y C:\Path\To\WebCacheV01.dat /vssrec V01 . /d c:\exports\webcachev01.dat
This can be a double-edged sword though because you also have the potential to lose deleted records that have yet to be purged from the database once the logs are flushed. If this is a concern you could go with both options and just save two copies of the file. This article from SANS provides more details on the ins and outs of ESE databases and transaction logs.
Additional Uses of Esentutl.exe
So we know we can use esentutl.exe to copy ESE database files but what about other locked files? Well, it turns out you can. In this example, I grab a copy of the NTUSER.dat file for the currently logged in account.
I really like this as an option for copying system files when doing investigations or even testing. I’m sure it has value to Red Teams as well as it allows you to grab other hives like the SAM and other ESE databases like NTDS.dit without introducing outside tools or using PowerShell. Blue Teams can detect this type of activity by auditing process creation and looking for activity by esentutl.exe, particularly with the /vss switch.
I’m still looking for a good way to get IE/Edge browser history on the versions of Windows that do not have the /vss switch so if you’ve got any ideas there, let me know.