When testing SQLiteHunter I uncovered a panic with the ESE parser when it tried to parse the WebCacheV01.dat file. Placing the issue here as it seems related more to the ESE library rather than SQLiteHunter itself.
Generic.Forensic.SQLiteHunter: Time 30: Generic.Forensic.SQLiteHunter/IE or Edge WebCacheV01_All Data: Waiting for rows.
PANIC: runtime error: slice bounds out of range [50:11]
goroutine 60697 [running]: www.velocidex.com/golang/velociraptor/utils.RecoverVQL({0x3e94db0, 0xc0024272c0}) /velociraptor-build/velociraptor/utils/panic.go:25 +0xc5 panic({0x36bdf40?, 0xc002456750?}) /tmp/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.0.linux-amd64/src/runtime/panic.go:783 +0x132 www.velocidex.com/golang/go-ese/parser.ParseTwoValue(...) /tmp/pkg/mod/www.velocidex.com/golang/go-ese@v0.2.1-0.20250215160921-5af66dc0f6ed/parser/catalog.go:552 www.velocidex.com/golang/go-ese/parser.(*Table).ParseTaggedValueWithPrimitiveDecoder(0x33a7160?, 0xc0048454d0?, {0x5?, {0xc001217c69?, 0xc0034860b4?, 0x100c0018b4230?}}, 0xc0014bbb20) /tmp/pkg/mod/www.velocidex.com/golang/go-ese@v0.2.1-0.20250215160921-5af66dc0f6ed/parser/catalog.go:570 +0x2e6 www.velocidex.com/golang/go-ese/parser.(*Table).tagToRecord(0xc000ecbb80, 0xc003a26d00, 0x4?) /tmp/pkg/mod/www.velocidex.com/golang/go-ese@v0.2.1-0.20250215160921-5af66dc0f6ed/parser/catalog.go:336 +0x194a www.velocidex.com/golang/go-ese/parser.(*Catalog).DumpTable.func1(0xc004ece390?, 0xc00431fda0?, 0x38b3925?) /tmp/pkg/mod/www.velocidex.com/golang/go-ese@v0.2.1-0.20250215160921-5af66dc0f6ed/parser/catalog.go:681 +0x29 www.velocidex.com/golang/go-ese/parser._walkPages(0xc004ece390, 0x31, 0xc0014bbdd8, 0xc0014bbe08) /tmp/pkg/mod/www.velocidex.com/golang/go-ese@v0.2.1-0.20250215160921-5af66dc0f6ed/parser/pages.go:337 +0x35d www.velocidex.com/golang/go-ese/parser._walkPages(0xc004ece390, 0x2f, 0xc0014bbdd8, 0xc0014bbe08) /tmp/pkg/mod/www.velocidex.com/golang/go-ese@v0.2.1-0.20250215160921-5af66dc0f6ed/parser/pages.go:344 +0x333 www.velocidex.com/golang/go-ese/parser.WalkPages(...) /tmp/pkg/mod/www.velocidex.com/golang/go-ese@v0.2.1-0.20250215160921-5af66dc0f6ed/parser/pages.go:309 www.velocidex.com/golang/go-ese/parser.(*Catalog).DumpTable(0xc0050b5ed8, {0xc000a6f210?, 0x38b2859?}, 0xc0014bbfb0) /tmp/pkg/mod/www.velocidex.com/golang/go-ese@v0.2.1-0.20250215160921-5af66dc0f6ed/parser/catalog.go:677 +0x11e www.velocidex.com/golang/velociraptor/vql/parsers/ese._ESEPlugin.Call.func1() /velociraptor-build/velociraptor/vql/parsers/ese/ese.go:216 +0x4ad created by www.velocidex.com/golang/velociraptor/vql/parsers/ese._ESEPlugin.Call in goroutine 60696 /velociraptor-build/velociraptor/vql/parsers/ese/ese.go:179 +0xc5
Dumped the file so this can be investigated further. SQLiteHunter and the Windows version of 0.75.6 was used for testing. Windows 11 24H2 26100.7462 Windows Sandbox was used if this helps any.
When testing SQLiteHunter I uncovered a panic with the ESE parser when it tried to parse the WebCacheV01.dat file. Placing the issue here as it seems related more to the ESE library rather than SQLiteHunter itself.
Dumped the file so this can be investigated further. SQLiteHunter and the Windows version of 0.75.6 was used for testing. Windows 11 24H2 26100.7462 Windows Sandbox was used if this helps any.
WebCache.zip