browserforensics
Back to all articles

Browser cookies in forensics

2026-05-19 · 3 min

Cookies are an underrated timeline source. Every row carries three timestamps and a domain — that triplet alone reconstructs which sites the browser saw and when, even when history has been cleared. On a host where the user wiped History but forgot the Cookies database, the cookie table often saves a case.

Where they live

BrowserFileStore
Chrome / EdgeNetwork/CookiesSQLite cookies
Firefoxcookies.sqlitemoz_cookies
SafariCookies.binarycookiesApple binary format

Chromium moved Cookies into Network/ around M96. Older Chrome acquisitions will have it at the profile root.

What you get per row

  • Domain (and host_key in Chromium, with leading dot for wildcard).
  • Name, path.
  • is_secure, is_httponly, samesite, priority.
  • Creation time, last access time, expiry.

Three timestamps per cookie means timeline overlap with history, downloads and even SRUM network samples. A __Secure-3PSI cookie set at the same second as a download row pins the visit hard.

The encrypted-value problem

Chromium has encrypted cookie values at rest since v80. On Windows the key is DPAPI-wrapped under the user's master key; on macOS it lives in the Keychain; on Linux it is a fixed peanuts key or kwallet/gnome-keyring depending on distro. Without the live keys, the encrypted_value column is AES-256-GCM ciphertext.

For most investigations that does not matter — the metadata answers the question. The cases where it does matter (proving a specific session token, recovering an OAuth state) require the user's profile keys. Mimikatz, DonPAPI and dpapilab-ng cover the Windows extraction; on macOS, Keychain extraction with the user password works for an unlocked acquisition.

Firefox cookies remain in cleartext. Safari binarycookies are also plain.

Reading Cookies.binarycookies quickly

If you do not have a parser handy, the format is small enough to walk by hand. Magic cook, big-endian page count, big-endian per-page sizes, then page blocks. Each cookie record is 56 bytes of header plus four NUL-terminated strings (domain, name, path, value). Both timestamps are float64 Mac absolute time.

Pitfalls

  • Cookie deletion does not clear the row instantly in Chromium — there is a tombstone window before the row is reaped. Sometimes you can recover recently-deleted cookies from the WAL.
  • host_key in Chromium is not always the URL host. A cookie set by example.com for .example.com shows the leading dot; treat the trimmed host as the comparison key.
  • Safari expires_at of 0 means session cookie. Do not render that as 2001-01-01.

Further reading