[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Decoding cookies

Posted on 2005-05-11
12
Medium Priority
?
3,802 Views
Last Modified: 2008-01-09
To help in computer forensics, I've been decoding cookies placed on computers using the CookieView program.  Is there an easy way to simply read the text file directly to determine the content without using any software?
0
Comment
Question by:eforkushe
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13975580
what are you talking about: cookie files from IE on M$ Windows?
These files can be viewed with any program, even simple ext editors ;-)
0
 
LVL 13

Expert Comment

by:softplus
ID: 13975890
Of course the content might not be that valuable, it depends on what the server does with the cookie (i.e. user/password hashed or encrypted, etc.). Firefox also has the cookies in the user profile in a simple cookies.txt (also viewable in Notepad) :)
0
 

Author Comment

by:eforkushe
ID: 13976242
Sorry for the lack of clarity.  I'm using IE 6 on XP.  Here's the text of a sample cookie:
SaneID
CtRbCzHQv7kljtfTnghMQt2J125Z8hST1hGPQps3sxVKN62R44Tv
hotwire.com/
1536
3009601408
30059002
2107388416
29696904
*
But when I load it into CookieView.exe, I get:
1) COOKIE FILE: owner@hotwire[1].txt

Cookie Record   0
Key:            SaneID
Value:          CtRbCzHQv7kljtfTnghMQt2J125Z8hST1hGPQps3sxVKN62R44Tv
Host:           hotwire.com/
Secure:         True
Modified Date:  Tue, 08 Mar 2005 02:42:37 GMT
Expiry Date:    Wed, 10 Feb 2010 02:42:35 GMT

So for example, how did it determine the expiry date?  Most values are very short strings like this one, and it would seem that applying the algorithm by hand wouldn't be that difficult.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 13976302
the dates are stored as seconds since 1.Jan.1970
just convert them
0
 
LVL 13

Accepted Solution

by:
softplus earned 700 total points
ID: 13976326
You might look here: (sorry, original site is 404, this is the google cache)
http://216.239.59.104/search?q=cache:zOP-kzUI1e8J:www.littlepiggy.net/cookies/ie6.php

or quoting parts of it (incase the site dissapears from the cache :)):

At any rate, when you open one of the text files with Wordpad you get something that looks like this:

myCookieA
popup_ad
www.theonion.com/onion3806/
1088
3596769152
29473513
2888195648
29473312
*
myCookieB
popup_ad_under
www.theonion.com/onion3806/
1088
2286834560
29473515
1584661056
29473314
*

I got these particular cookies from The Onion (www.theonion.com), a rather humorous satirical newspaper that appears on the Web once a week.

Recall that all cookies have a variable name, a variable value, a host and path, a creation time and date, an expiration time and date, and a flag to indicate whether or not the cookie is secure.  In this case, there are two cookies that I have received from www.theonion.com.  The first one has the following properties,

    * Variable name = myCookieA
    * Variable value = popup_ad
    * Host name = www.theonion.com
    * Path = /onion3806 (note that in this format, the host name and the path are concatenated together)
    * Flag = 1088 (I'm not sure what this is all about; I've also observed 1024 as a value here; I think it's a True/False flag to indicate whether or not the cookie is secure)
    * Date and Time of Cookie Expiration = 3596769152, 29473513
    * Date and Time of Cookie Creation = 2888195648, 29473312

This is followed by an asterisk (*) and then the second cookie (with Variable name = myCookieB, Variable value = popup_ad_under, etc.).

The format used for expressing the date and time of cookie expiration is the same as that used for expressing the date and time of cookie creation and is truly bizarre.  Essentially, the second number is the most significant number and measures time in units that, for lack of a better term, I will call "Bills."  One Bill is 429.4967296 seconds and there are approximately 73426 Bills in a year.  The first number measures time in increments of 10 raised to -7 seconds.  Just place the decimal point seven places from the far right of the number and you'll be able to read it in seconds - so 3596769152 should actually be interpreted as 359.6769152 seconds.  Every 429.4967296 seconds, this first number rolls over to zero again and one is added to the number of Bills in the second number.  

Time 0 Bills appears to have been sometime around 1600 AD.  Perhaps more useful to those of us living in the modern era is the fact that the time 498819072, 29474493 corresponds to Tue, 26 Feb 2002 12:00:00 (noon).

Working from the details above, we can see that the date and time of cookie expiration for myCookieA (2888195648, 29473312) is actually Feburary 21st, 2002 at around 9PM.  Figuring out the time to the exact millisecond is left as an exercise for the reader (and if the reader has any sense at all, this is an exercise that s/he will decline to solve).

All of this, of course, begs the question of why on earth Bill Gates and Co. would want to express time in such a bizarre manner.  The best guess that I can offer is based on the fact that 2 raised to the 32nd power is 4,294,967,296.  This means that the first number can be represented by 32 bits (4 bytes) in the inner workings of the program and probably somewhere in Microsoft, the decision was made that time needed to be expressed in increments as small as 10 to the minus 7 seconds (100 ns) - resulting in the first number incrementing after 429.4967296 seconds.  When the programmers wrote the code for Internet Explorer to output time into the cookie file, they probably didn't bother translating it into units that the rest of us are familiar with since they didn't figure that we'd go poking around into cookie files to figure out what's in them.

From this, it would be logical to assume that time is stored within Internet Explorer as two 32 bit numbers making up a single 64 bit number.  I haven't figured out a way to test this assumption, however.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13976484
0
 
LVL 13

Expert Comment

by:softplus
ID: 13976548
@ahoffmann - but the rfc just details "max-age" (in delta seconds); local storage doesn't seem to be covered (eg. the create/modify/expiration dates) ;)
0
 
LVL 12

Expert Comment

by:kneH
ID: 13984278
>>Is there an easy way to simply read the text file directly to determine the content without using any software?

What bit do you want to know???
If for instance you want to know the hosts...
Merge all the textfiles (with textmerge.exe)
Import em in excel
Sort em.
Then create a formula that looks for anything with a "." in it.

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13986297
> .. easy way to simply read the text file directly to determine the content without using any software?
NO.
(even notepad.exe is a software)
0
 
LVL 13

Expert Comment

by:softplus
ID: 13986400
:)
0
 
LVL 12

Expert Comment

by:kneH
ID: 13986681
LOL...

Well I was referring to a DOScommand.
You could go through the list and get lines that match a certain criteria.
0
 

Expert Comment

by:schealth
ID: 20280306
* Flag = 1088 (I'm not sure what this is all about; I've also observed 1024 as a value here; I think it's a
True/False flag to indicate whether or not the cookie is secure)

If I am correct, and I could be wrong, but I believe that this is the encryption length in bits.  Such as 128 bit encryption and so forth.  1024 is one of the most commonly found.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question