Browser cookies in forensics
2026-05-19 · 1 min
Cookies are an underrated timeline source: each row carries creation, last access and expiry times plus the domain it belongs to.
Where they live
| Browser | File | Store |
|---|---|---|
| Chrome / Edge | Cookies (in Network/) | SQLite cookies |
| Firefox | cookies.sqlite | moz_cookies |
| Safari | Cookies.binarycookies | binary format |
What you get
- Domain / host and name — which site set it.
- Path, Secure and HttpOnly flags.
- Creation, last access and expiry times — three timeline points per cookie.
What you don't get
Modern Chromium encrypts cookie values at rest (OS keychain / DPAPI), so
the value column is ciphertext without the live OS keys. That's fine for
most investigations: the metadata (which domains, when, how long-lived)
is usually what matters.
Try it
Drop a Cookies file, cookies.sqlite or Cookies.binarycookies on the
home page. All three are parsed client-side and their timestamps
normalised into the unified timeline.