browserforensics
Back to all articles

Extract browser cookies from an acquired profile

2026-06-21 · 3 min

You have an acquired profile and you need the cookies out of it — to prove a session existed, recover an auth token, or anchor a timeline. This is the end-to-end workflow across the three engines, all of it offline in the in-browser parser: load the file, deal with encryption if there is any, review, export.

Find the cookie store

Each engine keeps cookies in one file. Locate it in the acquired profile before anything else.

EngineFileAt rest
Chrome / EdgeNetwork/CookiesSQLite; values AES-GCM encrypted
Firefoxcookies.sqliteSQLite; cleartext
SafariCookies.binarycookiesApple binary; cleartext

Only Chromium values are encrypted — they need the os_crypt key. Firefox and Safari values come out in the clear, so for those two the workflow is just load, review, export.

Load the file

Drop the cookie file into the tool. For Chromium, also grab the Local State file from the profile root — it carries the wrapped os_crypt key the decryptor needs.

Capture the -wal sidecar next to the SQLite stores (Cookies-wal, cookies.sqlite-wal) and drop it too. Recently-set or recently-deleted cookies may live only in the write-ahead log (why). Safari's single binary file has no sidecar.

Decrypt the Chromium values

For Chrome/Edge you need the 32-byte AES key. There are two ways to provide it.

  • Paste it. If another tool already unwrapped the key, paste it (hex or base64) and decrypt.
  • Derive it here. The tool unwraps the key from Local State and the platform secret:
    • Windows — DPAPI: supply the masterkey, SID and NT hash or password.
    • Linux — the fixed peanuts keyring key, or the keyring secret.
    • macOS — the Safe Storage password from the Keychain.

A wrong secret fails the unwrap with an error rather than returning silent garbage. Full Windows walkthrough: decrypt Chrome & Edge cookies.

Review the rows

Once values are readable, work the table. Each row gives you host, name, the decrypted value, and the three timestamps (creation, last access, expiry). What to look for:

  • Prove a session existed. A __Secure-… or session cookie with a creation time pins the account to the host at a moment.
  • Recover a token. Auth, OAuth state and session tokens sit in the decrypted value column — filter by name or host to find them.
  • Map domains. Sort by host to see which sites the browser held cookies for, even if History was cleared.
  • Build a timeline. The three timestamps overlap with history, downloads and other artifacts.

Export

Export the table — or a filtered view — to CSV or JSON for the case file or to feed another tool. Pair this with the report export workflow to fold cookies into a full profile report.

Scope and limits

  • Everything runs client-side. The files are parsed in the tab; nothing is uploaded.
  • v20 app-bound Chromium cookies (Chrome 127+) are the experimental path — the app-bound key is only partially recoverable from files. v10 values decrypt cleanly.
  • Firefox and Safari values are cleartext, so no key is needed for those.

Further reading