Galleta is a forensic analysis tool for parsing Internet Explorer cookie files. It reads and displays the contents of IE cookie databases, converting timestamps and presenting the data in a human-readable format. Galleta is essential for browser forensics, helping investigators recover evidence of web browsing activity.
# Clone Galleta repository
git clone https://github.com/corkami/galleta.git
cd galleta
# Or download directly from Sourceforge/GitHub
wget https://github.com/corkami/galleta/archive/master.zip
unzip master.zip
cd galleta-master
# Verify Python is installed
python3 --version
# Some distributions may have it packaged
# Ubuntu/Debian (if available)
sudo apt-get install galleta
# Or install via pip (if packaged)
pip3 install galleta
# Verify installation
galleta.py --help
# Create directory for forensic tools
mkdir -p ~/forensics/tools
cd ~/forensics/tools
# Download Galleta
git clone https://github.com/corkami/galleta.git
# Make executable
chmod +x galleta/*.py
# Add to PATH
export PATH=$PATH:~/forensics/tools/galleta
# Parse single IE cookie file
python3 galleta.py cookies.dat
# Parse with output to file
python3 galleta.py cookies.dat > cookies_analysis.txt
# Parse and save as CSV
python3 galleta.py cookies.dat -c > cookies.csv
# Parse specific user cookie file
python3 galleta.py /home/user/.wine/drive_c/Users/Username/Cookies
# Verbose output
python3 galleta.py -v cookies.dat
# Standard IE cookie locations
/root/.wine/drive_c/Users/[Username]/AppData/Roaming/Microsoft/Windows/Cookies/
/root/.wine/drive_c/Users/[Username]/AppData/Roaming/Microsoft/Windows/Cookies/Low/
# Windows systems (if analyzing Windows filesystem)
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Cookies\
C:\Users\[Username]\AppData\Local\Microsoft\Windows\INetCookies\
# Linux with WINE
~/.wine/drive_c/Users/[Username]/AppData/Roaming/Microsoft/Windows/Cookies/
# Find all cookie files
find ~ -name "*.dat" -o -name "index.dat" 2>/dev/null
# Search on mounted Windows partition
find /mnt/windows_drive -name "Cookies" -type d 2>/dev/null
# Extract from forensic image
7z x forensic_image.img
# Extract from Windows file system backup
tar -xzf windows_backup.tar.gz
# Navigate to cookie directory
cd Users/[Username]/AppData/Roaming/Microsoft/Windows/Cookies
# Parse extracted cookies
python3 /path/to/galleta.py *.dat
# Parse and examine output
python3 galleta.py cookies.dat
# Example output structure:
# [Cookie Name] | [Domain] | [Path] | [Creation Time] | [Expiration Time] | [Access Time] | [Value]
| Field | Description | Example |
|---|
| Cookie Name | Name of the cookie variable | sessionid, userid, tracking_id |
| Domain | Website domain associated | example.com, www.google.com |
| Path | URL path where cookie applies | /, /admin, /api/v1 |
| Creation Time | When cookie was created | 2024-01-15 14:23:45 UTC |
| Expiration Time | When cookie expires | 2024-12-31 23:59:59 UTC |
| Access Time | Last time cookie was accessed | 2024-05-01 10:15:30 UTC |
| Cookie Value | Data stored in cookie | Base64 encoded, session token, etc |
| Flags | Security attributes | Secure, HttpOnly, Domain, Path |
# Display specific columns
python3 galleta.py cookies.dat | cut -d'|' -f1,2,4
# Filter by domain
python3 galleta.py cookies.dat | grep "facebook.com"
# Filter by date range
python3 galleta.py cookies.dat | grep "2024-05"
# Filter cookies with session in name
python3 galleta.py cookies.dat | grep -i "session"
# Find tracking cookies
python3 galleta.py cookies.dat | grep -i "track\|analytics\|ad"
# Step 1: Locate cookie files
find /mnt/evidence -name "*.dat" -type f > cookie_files.txt
# Step 2: Parse all cookies
while read file; do
echo "=== Processing: $file ==="
python3 galleta.py "$file"
done < cookie_files.txt
# Step 3: Create master cookie database
while read file; do
python3 galleta.py "$file" >> all_cookies.txt
done < cookie_files.txt
# Step 4: Analyze and report
grep -i "malicious\|suspicious" all_cookies.txt > suspicious_cookies.txt
# Parse cookies and create timeline
python3 galleta.py cookies.dat | awk -F'|' '{print $4, $1, $2}' > timeline.txt
# Sort by access time
python3 galleta.py cookies.dat | sort -k4 > sorted_cookies.txt
# Create CSV for timeline analysis
python3 galleta.py cookies.dat -c > cookies_timeline.csv
# View timeline
sort -k2 cookies_timeline.csv | tail -20
# Parse IE cookies
python3 galleta.py cookies.dat > ie_cookies.txt
# Extract domains from cookies
cut -d'|' -f2 ie_cookies.txt | sort | uniq > cookie_domains.txt
# Compare with browser history
grep -f cookie_domains.txt browser_history.txt
# Find matching entries
comm -12 <(sort cookie_domains.txt) <(sort history_domains.txt)
# Session cookies (no expiration time)
python3 galleta.py cookies.dat | grep "Session"
# Persistent cookies (with expiration)
python3 galleta.py cookies.dat | grep -v "Session"
# Cookies from specific domain
python3 galleta.py cookies.dat | grep "github.com"
# Third-party tracking cookies
python3 galleta.py cookies.dat | grep -E "doubleclick|facebook|analytics"
# Parse cookies and examine values
python3 galleta.py cookies.dat | cut -d'|' -f1,7
# Decode base64 cookie values
python3 galleta.py cookies.dat | while read line; do
value=$(echo "$line" | cut -d'|' -f7)
echo "$value" | base64 -d 2>/dev/null
done
# Search for sensitive data in cookies
python3 galleta.py cookies.dat | grep -i "token\|session\|auth\|password"
# Identify potential PII
python3 galleta.py cookies.dat | grep -E "[0-9]{3}-[0-9]{2}-[0-9]{4}|[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}"
# Calculate hash before analysis
md5sum cookies.dat > cookies.dat.md5
# Create forensic copy
cp cookies.dat cookies.dat.evidence
chmod 444 cookies.dat.evidence
# Document collection
echo "Collected: $(date)" >> evidence.log
echo "Location: $(pwd)" >> evidence.log
echo "Hash: $(md5sum cookies.dat)" >> evidence.log
# Create evidence report
cat > EVIDENCE_REPORT.txt << EOF
Evidence Item: Internet Explorer Cookies
Source: /home/user/.wine/drive_c/Users/[Username]/AppData/Roaming/Microsoft/Windows/Cookies
Collection Date: $(date)
Collection Method: Forensic tool (galleta)
Hash (MD5): $(md5sum cookies.dat | cut -d' ' -f1)
Hash (SHA256): $(sha256sum cookies.dat | cut -d' ' -f1)
Analyst: [Name]
Case Number: [Case ID]
EOF
# Create forensic image
tar -czf cookies_evidence_$(date +%Y%m%d_%H%M%S).tar.gz cookies.dat EVIDENCE_REPORT.txt
# Verify integrity
tar -tzf cookies_evidence_*.tar.gz
# Export as structured text
python3 galleta.py cookies.dat > investigation_cookies.txt
# Create detailed CSV report
python3 galleta.py cookies.dat -c > cookies_detailed.csv
# Add metadata
{
echo "Analysis Date: $(date)"
echo "Analyst: Forensic Team"
echo "Evidence Source: $SOURCE_PATH"
echo "===== COOKIES ANALYSIS ====="
python3 galleta.py cookies.dat
} > final_report.txt
# Find authentication cookies
python3 galleta.py cookies.dat | grep -iE "auth|session|token|jwt"
# Identify advertising/tracking
python3 galleta.py cookies.dat | grep -iE "doubleclick|facebook|google.*analytics|twitter|linkedin"
# Find shopping/ecommerce cookies
python3 galleta.py cookies.dat | grep -iE "amazon|ebay|shop|cart|product"
# Detect social media activity
python3 galleta.py cookies.dat | grep -iE "facebook|twitter|instagram|linkedin|reddit|tiktok"
# Get date range of cookie activity
python3 galleta.py cookies.dat | cut -d'|' -f4 | cut -d' ' -f1 | sort | uniq
# Find first and last activity
echo "First activity:"
python3 galleta.py cookies.dat | cut -d'|' -f4 | sort | head -1
echo "Last activity:"
python3 galleta.py cookies.dat | cut -d'|' -f4 | sort | tail -1
# Activity by date
python3 galleta.py cookies.dat | cut -d'|' -f4 | cut -d' ' -f1 | sort | uniq -c | sort -rn
# Count cookies by domain
python3 galleta.py cookies.dat | cut -d'|' -f2 | sort | uniq -c | sort -rn
# Most accessed domains
python3 galleta.py cookies.dat | cut -d'|' -f4,2 | sort -k2 | tail -10
# Cookies created per day
python3 galleta.py cookies.dat | cut -d'|' -f4 | cut -d' ' -f1 | sort | uniq -c
# Domains with most cookies
python3 galleta.py cookies.dat | cut -d'|' -f2 | sort | uniq -c | sort -rn | head -20
# Permission denied reading cookie files
sudo python3 galleta.py cookies.dat
# File not found
find ~ -name "*.dat" -type f 2>/dev/null
# Check file format
file cookies.dat
# Verify file integrity
ls -la cookies.dat
file -b cookies.dat
# Test with sample file
python3 galleta.py --help
# Check if file is valid IE cookie file
file cookies.dat
# Try different tool versions
python3 galleta.py --version
# Manually inspect file
xxd cookies.dat | head
# Check file encoding
chardet cookies.dat
# Try with different Python version
python2 galleta.py cookies.dat
# Process in chunks
split -l 1000 cookies.dat cookies_part_
# Process each part
for part in cookies_part_*; do
python3 galleta.py "$part" >> full_results.txt
done
# Combine results
cat cookies_part_* > combined_cookies.txt
# Create master timeline
{
echo "=== COOKIES ==="
python3 galleta.py cookies.dat | cut -d'|' -f4,1,2
echo "=== OTHER ARTIFACTS ==="
# Add other timeline data
} | sort > master_timeline.txt
# Create SQL insert statements
python3 galleta.py cookies.dat -c | awk -F',' '{
print "INSERT INTO cookies VALUES(\"" $1 "\", \"" $2 "\", \"" $3 "\");"
}' > cookies_sql.sql
# Import to database
sqlite3 evidence.db < cookies_sql.sql
# Generate statistics for report
{
echo "=== COOKIE FORENSICS REPORT ==="
echo "Total Cookies: $(python3 galleta.py cookies.dat | wc -l)"
echo "Unique Domains: $(python3 galleta.py cookies.dat | cut -d'|' -f2 | uniq | wc -l)"
echo ""
echo "Top 10 Domains:"
python3 galleta.py cookies.dat | cut -d'|' -f2 | sort | uniq -c | sort -rn | head -10
echo ""
echo "Date Range:"
echo "First: $(python3 galleta.py cookies.dat | cut -d'|' -f4 | sort | head -1)"
echo "Last: $(python3 galleta.py cookies.dat | cut -d'|' -f4 | sort | tail -1)"
} > forensic_report.txt
| Practice | Description |
|---|
| Hash Evidence | Calculate MD5/SHA256 before analysis |
| Document Findings | Keep detailed notes of all analysis steps |
| Verify Timestamps | Confirm system timezone for accurate dates |
| Preserve Original | Make copies, never modify original evidence |
| Cross-Reference | Correlate with browser history and other artifacts |
| Report Thoroughly | Document all findings with evidence |
| Use Tools Correctly | Understand tool limitations and output format |
| Validate Results | Double-check suspicious findings |
# Galleta help
python3 galleta.py --help
# GitHub repository
# https://github.com/corkami/galleta
# DFIR resources
# https://www.dfir.training
# IE History analysis
foremost -i evidence.img -o output_dir
# Browser forensics
# Chromedumper, hindsight, browsing history view
# Timeline tools
mactime, log2timeline
