Internet Explorer INTERNET_CACHE_ENTRY_INFO Structure

Forensic Analysis

The Internet Explorer INTERNET_CACHE_ENTRY_INFO Structure (Figure 1) is used by the Microsoft Windows API and contains information about an entry in the Internet cache.

INTERNET_CACHE_ENTRY_INFO

Figure 1

Explanation of Members

The structure contains the following members:

dwStructSize

Size of this structure, in bytes. This value can be used to help determine the version of the cache system.

lpszSourceUrlName

Pointer to a null-terminated string that contains the URL name. The string occupies the memory area at the end of this structure.

lpszLocalFileName

Pointer to a null-terminated string that contains the local file name. The string occupies the memory area at the end of this structure.

CacheEntryType

A bitmask indicating the type of cache entry and its properties. The cache entry types include: history entries (URLHISTORY_CACHE_ENTRY), cookie entries (COOKIE_CACHE_ENTRY), and normal cached content (NORMAL_CACHE_ENTRY). This member can be zero or more of the following property flags, and cache type flags listed below.

Internet Explorer Cache Property Flags

The following list contains the cache type flags.
Internet Explorer Cache Type Flags
dwUseCount: Current user count of the cache entry
dwHitRate: Number of times the cache entry was retrieved
dwSizeLow: Low-order portion of the file size.
dwSizeHigh: High-order portion of the file size.
LastModifiedTime: FILETIME structure that contains the last modified time of this URL, in Greenwich mean time format.
ExpireTime: FILETIME structure that contains the expiration time of this file, in Greenwich mean time format.
LastAccessTime: FILETIME structure that contains the last accessed time, in Greenwich mean time format.
LastSyncTime: FILETIME structure that contains the last time the cache was synchronized.
lpHeaderInfo: Pointer to a buffer that contains the header information. The buffer occupies the memory at the end of this structure.
dwHeaderInfoSize: Size of the lpHeaderInfo buffer.
lpszFileExtension: Pointer to a string that contains the file name extension used to retrieve the data as a file. The string occupies the memory area at the end of this structure.
dwReserved: Reserved. Must be zero.
dwExemptDelta: Exemption time from the last accessed time, in seconds.

References

Published by Craig Wilson

Comments

  1. Posted by H. Carvey on February 27th, 2011, 14:09 [Reply]

    Interesting…where are these structures found?

  2. Posted by Craig Wilson on February 27th, 2011, 15:56 [Reply]

    Hi Harlan

    It is the structure returned from the Windows API GetUrlCacheEntryInfo Function (http://msdn.microsoft.com/en-us/library/aa384185(v=vs.85).aspx).

    The structure is very similar to the data stored in a cache record in a cache INDEX.DAT file.

  3. Posted by Mark McGinty on December 1st, 2013, 09:43 [Reply]

    In my cache right now (and likely in yours as well) there are entries with the following [undefined] type values: 0x41, 0x45, 0x101, 0x1041, 0x1141, 0x2041, 0x3041 and 0x8041. This means there are 5 single-bit values that are left undefined by wininet.h:

    0x00000040
    0x00000100
    0x00001000
    0x00002000
    0x00008000

    Ever seen any extended docs about it?

    -MM

Reply

Your email address will not be published. Required fields are marked *