Extracting Metadata from WebCacheImageInfo: A Step-by-Step Guide
What WebCacheImageInfo is
WebCacheImageInfo is a data structure file used by Windows (Internet Explorer/Edge legacy) to store metadata about cached thumbnail images. It contains records with timestamps, original URLs, file sizes, dimensions, and pointers to the cached image data—useful for forensic analysis, recovery, and cache auditing.
Tools you can use
- Windows File Explorer (for locating files)
- FTK Imager, Autopsy, or EnCase (for forensic imaging)
- HxD or any hex editor (raw inspection)
- Python with libraries: struct, datetime, binascii, Pillow (PIL) for image handling
- existing parsers/scripts (search for WebCacheImageInfo.py on GitHub)
Files and locations to check
- WebCacheV01.dat (common container for webcache data)
- WebCacheImageInfo files typically live inside the WebCacheV01.dat database or as separate records in Cache\folders for older IE versions
- User profile cache paths: %LocalAppData%\Microsoft\Windows\WebCache</li>
Step-by-step extraction (assumes a local copy of WebCacheV01.dat)
- Acquire file
- Make a working copy of WebCacheV01.dat (do not modify original). Use forensic imaging tools if working on evidence.
- Identify record structure
- WebCacheImageInfo entries often begin with recognizable headers and fixed-size fields. Common fields include:
- Record signature/ID
- Record size
- Timestamp (FILETIME)
- URL length and URL (UTF-16LE)
- Image data offset/length
- Image dimensions and size
- Parse headers and locate records
- Use a script to read sequential records. Example Python approach: open file in binary mode, read bytes, use struct.unpack to parse integers and FILETIME fields (little-endian).
- Convert timestamps
- FILETIME values are 64-bit little-endian counts of 100-nanosecond intervals since Jan 1, 1601 UTC. Convert to human-readable with:
- seconds = FILETIME / 10_000_000
- epoch offset = 11644473600
- datetime = datetime.utcfromtimestamp(seconds – epoch_offset)
- Extract URL and textual fields
- Read URL length, then read that many bytes and decode as UTF-16LE. Trim trailing nulls.
- Extract image blobs
- Use recorded offsets and lengths to slice image bytes. Save each blob with an appropriate extension (try PNG/JPEG headers detection: 0x89 0x50 0x4E 0x47 for PNG, 0xFF 0xD8 for JPEG).
- Validate and save images
- Use Pillow to open saved blobs; if opening fails, try different offsets or check for container compression. Save valid images and record associated metadata (timestamp, URL, size).
- Build a CSV/JSON report
- For each record, include: record ID, URL, timestamp (UTC/local), image filename, image dimensions, file size, byte offset, notes (errors).
Example Python snippets
- Use struct.unpack for integers and FILETIME, decode UTF-16LE for URLs, detect image type by header bytes, and save blobs. (Keep code focused, handle exceptions, and test on known samples.)
Common pitfalls
- Variable record layouts across Windows versions; fields may shift.
- Records sometimes reference external cache containers—offsets may be relative to another file.
- Corrupted or fragmented blobs; consider carving tools if offsets are unreliable.
- FILETIME vs Unix epoch conversions errors.
Quick validation checklist
- Do images open with an image viewer/Pillow?
- Do decoded URLs look plausible (http/https)?
- Are timestamps reasonable for the investigated timeframe?
- Are image dimensions and sizes consistent with header metadata?
Further resources
- Search GitHub and forensic forums for sample parsers and scripts (e.g., “WebCacheImageInfo parser”).
- Consult Windows forensics write-ups covering WebCacheV01.dat structure and Internet Explorer/Edge legacy cache formats.
If you want, I can provide a concise Python parser script that reads WebCacheV01.dat, extracts WebCacheImageInfo records, converts timestamps, and saves image files and a CSV report.
Leave a Reply