Today's topic is the IE11 session recovery logs. These logs are saved as .dat files at %Root%\Users\%user%\AppData\Local\Microsoft\InternetExplorer\Recovery\Immersive\Active
It appears that a new session log is created each time IE11 is opened. Timestamps associated with the session .dat have the created and accessed times the same, and a modified time approximately 30 seconds after that. The timestamps do not appear to capture the time that the session was closed.
Within the session .dat, there are plain-text "TL" stores. It has been suggested that "TL" stands for "Travel Log'. This could be an apt descriptor, as these stores capture the travels of the browser over the internet. If one opens a website such as newspaper site, every item that "phones home" within that website is captured in the TL.
The oldest TL is TL0, with additional TLs created when a new website is accessed. TLs also appear to be created for other random acts, but the session journey through websites is apparent.
My most surprising find was plain-text usernames and passwords stored in several places. This was quite surprising as my employer's website does send a request to the browser to not retain any sign-in information- this policy has been in effect since at least 2008. Yes, I was quite shocked to see my password sitting there in plain sight! So, here's another place to check when one is attempting to figure out a password.
Here are some screenshots...
first up is a shot from the TL capturing a visit to the Morning Call newspaper website. The "phoning home" is quite apparent:
The next shot is of the beginning of the TL of the AAPilots.com website- the highlighted area shows the return to the mcall.com website preserved:
Next- where I found to my passwords just sitting there. Those are the large blanks within the data:
Max number of TLs in a session? I haven't found a max number. If I have some additional time to research these a bit more, I'll update this blog.
Thanks for reading!
