I have always found the best way to understand something is to try to build it. With that in mind I discovered an IronPython library for working with ESENT Databases.
Turns out it's fairly simply to use. In this example I create an ESE database and add two Test values, one LargeText Value, and another text value.
Which looks like this in EseDatabaseView:
And here is what the esedb_data table looks like in a Hex Editor:
I have highlighted the section of the table associated with the LongText value. Just like in the last post, we don't see that LongText value but we do see a pointer to it. This can be a little hard to see in this format so if we display the hex of each record as a line in a text file it becomes more noticeable.
The 05 type code for LongValues is the same as the WebCacheV01.dat. The next four bytes are the LID.
Let's take a look at what the LongText value looks like in a Hex Editor:
The 4 bytes after the LID, as shown in purple, appear to involve sequencing. The header has 00 00 00 00 and the footer has 01 00 00 00.
I am not sure I am any closer to finding and parsing this value from a python script but this is interesting to look at if nothing else. I think the real nail in this project's coffin is that I discovered a tool that does this already. :( I don't know why I didn't see it earlier but, BrowsingHistoryView works like a champ from the command line. I will put it through some paces and put up a review.
I am still going to keep an eye on the python libraries longvalue support because I want a open-source tool that I can tweak if I need to.