Decoding Internet Explorer Cookies

Forensic Analysis

Viewing and decoding Internet Explorer Cookie data within NetAnalysis is a simple task.  First of all, make sure you have the cookie files and corresponding INDEX.DAT file extracted from your forensic image.

Import the INDEX.DAT file into NetAnalysis.  To activate the Cookie decoder by selecting Cookie Decoder from the View menu or by selecting the Cookie Decoder button on the main toolbar.

When you select a cookie entry from the index entries, if a corresponding cookie file is available in the cookie folder, NetAnalysis will open it and decode the cookie entries, as shown in Figure 1.


NetAnalysis Showing Cookie Decoder

Figure 1

Cookies hold data in Name/Value pairs.  In the example above, this Cookie contains two records.  Each record contains a Name/Value pair.

Column 1 has a blue tick next to it.  This is for indication only and shows whether the cookie is expired when compared to today’s date and time.  This is just an indicator and has no evidential meaning.  Column 1 also contains the Name or Key portion of the Name/Value pair.

Column 2 contains the value portion.  It is not unusual to see some web sites storing multiple Name/Value pairs in one value field.  This obviously cuts down on the number of cookies that need to be set and retrieved.

Column 3 shows the Host portion of the record.

Column 4 shows the security of the transportation method.  Even if the Cookie is secure, it is stored in plain text on the system.

Column 5 shows the Last Modified Date/Time in UTC.  Internet Explorer Cookie times are stored as a UTC 64 bit FILETIME structure within the text file.

Column 6 shows the Column 5 Date/Time converted to Local Time.  NetAnalysis converts the time stamp from UTC to Local time based on the Time Zone set by the Investigator prior to importing the INDEX.DAT data.

Column 7 shows the Expiration date of the Cookie in UTC.

Published by Robert Rutherford

Comments are closed.