Browser cookies in forensics
2026-05-19 · 3 min
Cookies are an underrated timeline source. Every row carries three
timestamps and a domain — that triplet alone reconstructs which sites
the browser saw and when, even when history has been cleared. On a host
where the user wiped History but forgot the Cookies database, the
cookie table often saves a case.
Where they live
| Browser | File | Store |
|---|---|---|
| Chrome / Edge | Network/Cookies | SQLite cookies |
| Firefox | cookies.sqlite | moz_cookies |
| Safari | Cookies.binarycookies | Apple binary format |
Chromium moved Cookies into Network/ around M96. Older Chrome
acquisitions will have it at the profile root.
What you get per row
- Domain (and host_key in Chromium, with leading dot for wildcard).
- Name, path.
is_secure,is_httponly,samesite,priority.- Creation time, last access time, expiry.
Three timestamps per cookie means timeline overlap with history, downloads
and even SRUM network samples. A
__Secure-3PSI cookie set at the same second as a download row pins the
visit hard.
The encrypted-value problem
Chromium has encrypted cookie values at rest since v80. On Windows the
key is DPAPI-wrapped under the user's master key; on macOS it lives in
the Keychain; on Linux it is a fixed peanuts key or kwallet/gnome-keyring
depending on distro. Without the live keys, the encrypted_value column
is AES-256-GCM ciphertext.
For most investigations that does not matter — the metadata answers the
question. The cases where it does matter (proving a specific session
token, recovering an OAuth state) require the user's profile keys.
Mimikatz, DonPAPI and dpapilab-ng cover the Windows extraction; on
macOS, Keychain extraction with the user password works for an unlocked
acquisition.
Firefox cookies remain in cleartext. Safari binarycookies are also plain.
Reading Cookies.binarycookies quickly
If you do not have a parser handy, the format is small enough to walk
by hand. Magic cook, big-endian page count, big-endian per-page sizes,
then page blocks. Each cookie record is 56 bytes of header plus four
NUL-terminated strings (domain, name, path, value). Both timestamps are
float64 Mac absolute time.
Pitfalls
- Cookie deletion does not clear the row instantly in Chromium — there is a tombstone window before the row is reaped. Sometimes you can recover recently-deleted cookies from the WAL.
host_keyin Chromium is not always the URL host. A cookie set byexample.comfor.example.comshows the leading dot; treat the trimmed host as the comparison key.- Safari
expires_atof0means session cookie. Do not render that as 2001-01-01.