Extract browser cookies from an acquired profile
2026-06-21 · 3 min
You have an acquired profile and you need the cookies out of it — to prove a session existed, recover an auth token, or anchor a timeline. This is the end-to-end workflow across the three engines, all of it offline in the in-browser parser: load the file, deal with encryption if there is any, review, export.
Find the cookie store
Each engine keeps cookies in one file. Locate it in the acquired profile before anything else.
| Engine | File | At rest |
|---|---|---|
| Chrome / Edge | Network/Cookies | SQLite; values AES-GCM encrypted |
| Firefox | cookies.sqlite | SQLite; cleartext |
| Safari | Cookies.binarycookies | Apple binary; cleartext |
Only Chromium values are encrypted — they need the os_crypt key. Firefox and
Safari values come out in the clear, so for those two the workflow is just load,
review, export.
Load the file
Drop the cookie file into the tool. For Chromium, also grab the Local State
file from the profile root — it carries the wrapped os_crypt key the decryptor
needs.
Capture the -wal sidecar next to the SQLite stores (Cookies-wal,
cookies.sqlite-wal) and drop it too. Recently-set or recently-deleted cookies
may live only in the write-ahead log
(why). Safari's single binary
file has no sidecar.
Decrypt the Chromium values
For Chrome/Edge you need the 32-byte AES key. There are two ways to provide it.
- Paste it. If another tool already unwrapped the key, paste it (hex or base64) and decrypt.
- Derive it here. The tool unwraps the key from
Local Stateand the platform secret:- Windows — DPAPI: supply the masterkey, SID and NT hash or password.
- Linux — the fixed
peanutskeyring key, or the keyring secret. - macOS — the Safe Storage password from the Keychain.
A wrong secret fails the unwrap with an error rather than returning silent garbage. Full Windows walkthrough: decrypt Chrome & Edge cookies.
Review the rows
Once values are readable, work the table. Each row gives you host, name, the decrypted value, and the three timestamps (creation, last access, expiry). What to look for:
- Prove a session existed. A
__Secure-…or session cookie with a creation time pins the account to the host at a moment. - Recover a token. Auth, OAuth state and session tokens sit in the decrypted value column — filter by name or host to find them.
- Map domains. Sort by host to see which sites the browser held cookies for,
even if
Historywas cleared. - Build a timeline. The three timestamps overlap with history, downloads and other artifacts.
Export
Export the table — or a filtered view — to CSV or JSON for the case file or to feed another tool. Pair this with the report export workflow to fold cookies into a full profile report.
Scope and limits
- Everything runs client-side. The files are parsed in the tab; nothing is uploaded.
- v20 app-bound Chromium cookies (Chrome 127+) are the experimental path — the app-bound key is only partially recoverable from files. v10 values decrypt cleanly.
- Firefox and Safari values are cleartext, so no key is needed for those.