eforkushe
asked on
Decoding cookies
To help in computer forensics, I've been decoding cookies placed on computers using the CookieView program. Is there an easy way to simply read the text file directly to determine the content without using any software?
Of course the content might not be that valuable, it depends on what the server does with the cookie (i.e. user/password hashed or encrypted, etc.). Firefox also has the cookies in the user profile in a simple cookies.txt (also viewable in Notepad) :)
ASKER
Sorry for the lack of clarity. I'm using IE 6 on XP. Here's the text of a sample cookie:
SaneID
CtRbCzHQv7kljtfTnghMQt2J12
hotwire.com/
1536
3009601408
30059002
2107388416
29696904
*
But when I load it into CookieView.exe, I get:
1) COOKIE FILE: owner@hotwire[1].txt
Cookie Record 0
Key: SaneID
Value: CtRbCzHQv7kljtfTnghMQt2J12
Host: hotwire.com/
Secure: True
Modified Date: Tue, 08 Mar 2005 02:42:37 GMT
Expiry Date: Wed, 10 Feb 2010 02:42:35 GMT
So for example, how did it determine the expiry date? Most values are very short strings like this one, and it would seem that applying the algorithm by hand wouldn't be that difficult.
SaneID
CtRbCzHQv7kljtfTnghMQt2J12
hotwire.com/
1536
3009601408
30059002
2107388416
29696904
*
But when I load it into CookieView.exe, I get:
1) COOKIE FILE: owner@hotwire[1].txt
Cookie Record 0
Key: SaneID
Value: CtRbCzHQv7kljtfTnghMQt2J12
Host: hotwire.com/
Secure: True
Modified Date: Tue, 08 Mar 2005 02:42:37 GMT
Expiry Date: Wed, 10 Feb 2010 02:42:35 GMT
So for example, how did it determine the expiry date? Most values are very short strings like this one, and it would seem that applying the algorithm by hand wouldn't be that difficult.
the dates are stored as seconds since 1.Jan.1970
just convert them
just convert them
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@ahoffmann - but the rfc just details "max-age" (in delta seconds); local storage doesn't seem to be covered (eg. the create/modify/expiration dates) ;)
>>Is there an easy way to simply read the text file directly to determine the content without using any software?
What bit do you want to know???
If for instance you want to know the hosts...
Merge all the textfiles (with textmerge.exe)
Import em in excel
Sort em.
Then create a formula that looks for anything with a "." in it.
What bit do you want to know???
If for instance you want to know the hosts...
Merge all the textfiles (with textmerge.exe)
Import em in excel
Sort em.
Then create a formula that looks for anything with a "." in it.
> .. easy way to simply read the text file directly to determine the content without using any software?
NO.
(even notepad.exe is a software)
NO.
(even notepad.exe is a software)
:)
LOL...
Well I was referring to a DOScommand.
You could go through the list and get lines that match a certain criteria.
Well I was referring to a DOScommand.
You could go through the list and get lines that match a certain criteria.
* Flag = 1088 (I'm not sure what this is all about; I've also observed 1024 as a value here; I think it's a
True/False flag to indicate whether or not the cookie is secure)
If I am correct, and I could be wrong, but I believe that this is the encryption length in bits. Such as 128 bit encryption and so forth. 1024 is one of the most commonly found.
True/False flag to indicate whether or not the cookie is secure)
If I am correct, and I could be wrong, but I believe that this is the encryption length in bits. Such as 128 bit encryption and so forth. 1024 is one of the most commonly found.
These files can be viewed with any program, even simple ext editors ;-)