On a side note, I was recently in contact with Jimmy Weg, author of http://justaskweg.com, in regards to some of my prior Windows 8 research. He kindly pointed out that Windows 8 is storing MSIE history within ESE databases and recommended parsing them with Mark Woan's EseDbViewer. As such, I popped my WebCachev24.dat file into the program, and it shot out a great amount of results to me.
It's great to have a lot of progress on the WebCachev24.dat files, personally. I had been trying to parse them at the hex level for a VERY long time. What a relief. Expect a blog post on this soon too, lots of testing to be set up.
Now, though, I am once again stumped with something else. Located within the user directory, <user>\appdata\local\microsoft\internet explorer\Indexed DB, is a file named NoQuota.edb. Within this file, from a purely hex view, some internet history related items can be found, mostly (without having thoroughly tested yet) seeming related to metro browsing. When attempting to open this with EseDbViewer, however, I get the error it needs repaired. So, I open up command line, run esentutl /r on it, and get an API parameter error. I thought it was maybe a windows 7 vs windows 8 issue, and attempted to do it on both a Windows 8 VM as well as the native machine the EDB file came from, but continually got API parameter errors. At this point, I'm stumped.
The error reads:
Initiating RECOVERY mode...
Logfile base name: c:\users\efleisher\desktop\noquota.edb
Log files: <current directory>
System files: <current directory>
Operation terminated with error -1003 (JET_errInvalidParameter, Invalid API parameter) after 0.0 seconds.
Suggestions?
No comments:
Post a Comment