Galleta

Galleta

Galleta is a forensic analysis tool for parsing Internet Explorer cookie files. It reads and displays the contents of IE cookie databases, converting timestamps and presenting the data in a human-readable format. Galleta is essential for browser forensics, helping investigators recover evidence of web browsing activity.

Installation

Linux Installation

# Clone Galleta repository
git clone https://github.com/corkami/galleta.git
cd galleta

# Or download directly from Sourceforge/GitHub
wget https://github.com/corkami/galleta/archive/master.zip
unzip master.zip
cd galleta-master

# Verify Python is installed
python3 --version

Using Package Managers

# Some distributions may have it packaged
# Ubuntu/Debian (if available)
sudo apt-get install galleta

# Or install via pip (if packaged)
pip3 install galleta

# Verify installation
galleta.py --help

Manual Setup

# Create directory for forensic tools
mkdir -p ~/forensics/tools
cd ~/forensics/tools

# Download Galleta
git clone https://github.com/corkami/galleta.git

# Make executable
chmod +x galleta/*.py

# Add to PATH
export PATH=$PATH:~/forensics/tools/galleta

Basic Operations

Parsing Cookie Files

# Parse single IE cookie file
python3 galleta.py cookies.dat

# Parse with output to file
python3 galleta.py cookies.dat > cookies_analysis.txt

# Parse and save as CSV
python3 galleta.py cookies.dat -c > cookies.csv

# Parse specific user cookie file
python3 galleta.py /home/user/.wine/drive_c/Users/Username/Cookies

# Verbose output
python3 galleta.py -v cookies.dat

Cookie File Locations

# Standard IE cookie locations
/root/.wine/drive_c/Users/[Username]/AppData/Roaming/Microsoft/Windows/Cookies/
/root/.wine/drive_c/Users/[Username]/AppData/Roaming/Microsoft/Windows/Cookies/Low/

# Windows systems (if analyzing Windows filesystem)
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Cookies\
C:\Users\[Username]\AppData\Local\Microsoft\Windows\INetCookies\

# Linux with WINE
~/.wine/drive_c/Users/[Username]/AppData/Roaming/Microsoft/Windows/Cookies/

# Find all cookie files
find ~ -name "*.dat" -o -name "index.dat" 2>/dev/null

# Search on mounted Windows partition
find /mnt/windows_drive -name "Cookies" -type d 2>/dev/null

Extract Cookies from Archive

# Extract from forensic image
7z x forensic_image.img

# Extract from Windows file system backup
tar -xzf windows_backup.tar.gz

# Navigate to cookie directory
cd Users/[Username]/AppData/Roaming/Microsoft/Windows/Cookies

# Parse extracted cookies
python3 /path/to/galleta.py *.dat

Output Format and Fields

Understanding Galleta Output

# Parse and examine output
python3 galleta.py cookies.dat

# Example output structure:
# [Cookie Name] | [Domain] | [Path] | [Creation Time] | [Expiration Time] | [Access Time] | [Value]

Output Field Descriptions

Field	Description	Example
Cookie Name	Name of the cookie variable	sessionid, userid, tracking_id
Domain	Website domain associated	example.com, www.google.com
Path	URL path where cookie applies	/, /admin, /api/v1
Creation Time	When cookie was created	2024-01-15 14:23:45 UTC
Expiration Time	When cookie expires	2024-12-31 23:59:59 UTC
Access Time	Last time cookie was accessed	2024-05-01 10:15:30 UTC
Cookie Value	Data stored in cookie	Base64 encoded, session token, etc
Flags	Security attributes	Secure, HttpOnly, Domain, Path

Parse and Filter Output

# Display specific columns
python3 galleta.py cookies.dat | cut -d'|' -f1,2,4

# Filter by domain
python3 galleta.py cookies.dat | grep "facebook.com"

# Filter by date range
python3 galleta.py cookies.dat | grep "2024-05"

# Filter cookies with session in name
python3 galleta.py cookies.dat | grep -i "session"

# Find tracking cookies
python3 galleta.py cookies.dat | grep -i "track\|analytics\|ad"

Forensic Analysis Workflow

Investigation Process

# Step 1: Locate cookie files
find /mnt/evidence -name "*.dat" -type f > cookie_files.txt

# Step 2: Parse all cookies
while read file; do
  echo "=== Processing: $file ==="
  python3 galleta.py "$file"
done < cookie_files.txt

# Step 3: Create master cookie database
while read file; do
  python3 galleta.py "$file" >> all_cookies.txt
done < cookie_files.txt

# Step 4: Analyze and report
grep -i "malicious\|suspicious" all_cookies.txt > suspicious_cookies.txt

Timeline Construction

# Parse cookies and create timeline
python3 galleta.py cookies.dat | awk -F'|' '{print $4, $1, $2}' > timeline.txt

# Sort by access time
python3 galleta.py cookies.dat | sort -k4 > sorted_cookies.txt

# Create CSV for timeline analysis
python3 galleta.py cookies.dat -c > cookies_timeline.csv

# View timeline
sort -k2 cookies_timeline.csv | tail -20

Cross-Reference with Browser History

# Parse IE cookies
python3 galleta.py cookies.dat > ie_cookies.txt

# Extract domains from cookies
cut -d'|' -f2 ie_cookies.txt | sort | uniq > cookie_domains.txt

# Compare with browser history
grep -f cookie_domains.txt browser_history.txt

# Find matching entries
comm -12 <(sort cookie_domains.txt) <(sort history_domains.txt)

Cookie File Analysis

Identify Cookie Types

# Session cookies (no expiration time)
python3 galleta.py cookies.dat | grep "Session"

# Persistent cookies (with expiration)
python3 galleta.py cookies.dat | grep -v "Session"

# Cookies from specific domain
python3 galleta.py cookies.dat | grep "github.com"

# Third-party tracking cookies
python3 galleta.py cookies.dat | grep -E "doubleclick|facebook|analytics"

Analyze Cookie Values

# Parse cookies and examine values
python3 galleta.py cookies.dat | cut -d'|' -f1,7

# Decode base64 cookie values
python3 galleta.py cookies.dat | while read line; do
  value=$(echo "$line" | cut -d'|' -f7)
  echo "$value" | base64 -d 2>/dev/null
done

# Search for sensitive data in cookies
python3 galleta.py cookies.dat | grep -i "token\|session\|auth\|password"

# Identify potential PII
python3 galleta.py cookies.dat | grep -E "[0-9]{3}-[0-9]{2}-[0-9]{4}|[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}"

Evidence Preservation

Secure Cookie File Handling

# Calculate hash before analysis
md5sum cookies.dat > cookies.dat.md5

# Create forensic copy
cp cookies.dat cookies.dat.evidence
chmod 444 cookies.dat.evidence

# Document collection
echo "Collected: $(date)" >> evidence.log
echo "Location: $(pwd)" >> evidence.log
echo "Hash: $(md5sum cookies.dat)" >> evidence.log

Maintain Chain of Custody

# Create evidence report
cat > EVIDENCE_REPORT.txt << EOF
Evidence Item: Internet Explorer Cookies
Source: /home/user/.wine/drive_c/Users/[Username]/AppData/Roaming/Microsoft/Windows/Cookies
Collection Date: $(date)
Collection Method: Forensic tool (galleta)
Hash (MD5): $(md5sum cookies.dat | cut -d' ' -f1)
Hash (SHA256): $(sha256sum cookies.dat | cut -d' ' -f1)
Analyst: [Name]
Case Number: [Case ID]
EOF

# Create forensic image
tar -czf cookies_evidence_$(date +%Y%m%d_%H%M%S).tar.gz cookies.dat EVIDENCE_REPORT.txt

# Verify integrity
tar -tzf cookies_evidence_*.tar.gz

Export for Investigation

# Export as structured text
python3 galleta.py cookies.dat > investigation_cookies.txt

# Create detailed CSV report
python3 galleta.py cookies.dat -c > cookies_detailed.csv

# Add metadata
{
  echo "Analysis Date: $(date)"
  echo "Analyst: Forensic Team"
  echo "Evidence Source: $SOURCE_PATH"
  echo "===== COOKIES ANALYSIS ====="
  python3 galleta.py cookies.dat
} > final_report.txt

Advanced Analysis

Pattern Identification

# Find authentication cookies
python3 galleta.py cookies.dat | grep -iE "auth|session|token|jwt"

# Identify advertising/tracking
python3 galleta.py cookies.dat | grep -iE "doubleclick|facebook|google.*analytics|twitter|linkedin"

# Find shopping/ecommerce cookies
python3 galleta.py cookies.dat | grep -iE "amazon|ebay|shop|cart|product"

# Detect social media activity
python3 galleta.py cookies.dat | grep -iE "facebook|twitter|instagram|linkedin|reddit|tiktok"

Timeline Analysis

# Get date range of cookie activity
python3 galleta.py cookies.dat | cut -d'|' -f4 | cut -d' ' -f1 | sort | uniq

# Find first and last activity
echo "First activity:"
python3 galleta.py cookies.dat | cut -d'|' -f4 | sort | head -1

echo "Last activity:"
python3 galleta.py cookies.dat | cut -d'|' -f4 | sort | tail -1

# Activity by date
python3 galleta.py cookies.dat | cut -d'|' -f4 | cut -d' ' -f1 | sort | uniq -c | sort -rn

Statistical Analysis

# Count cookies by domain
python3 galleta.py cookies.dat | cut -d'|' -f2 | sort | uniq -c | sort -rn

# Most accessed domains
python3 galleta.py cookies.dat | cut -d'|' -f4,2 | sort -k2 | tail -10

# Cookies created per day
python3 galleta.py cookies.dat | cut -d'|' -f4 | cut -d' ' -f1 | sort | uniq -c

# Domains with most cookies
python3 galleta.py cookies.dat | cut -d'|' -f2 | sort | uniq -c | sort -rn | head -20

Troubleshooting

Common Issues

# Permission denied reading cookie files
sudo python3 galleta.py cookies.dat

# File not found
find ~ -name "*.dat" -type f 2>/dev/null

# Check file format
file cookies.dat

# Verify file integrity
ls -la cookies.dat
file -b cookies.dat

# Test with sample file
python3 galleta.py --help

Parse Errors

# Check if file is valid IE cookie file
file cookies.dat

# Try different tool versions
python3 galleta.py --version

# Manually inspect file
xxd cookies.dat | head

# Check file encoding
chardet cookies.dat

# Try with different Python version
python2 galleta.py cookies.dat

Large File Handling

# Process in chunks
split -l 1000 cookies.dat cookies_part_

# Process each part
for part in cookies_part_*; do
  python3 galleta.py "$part" >> full_results.txt
done

# Combine results
cat cookies_part_* > combined_cookies.txt

Integration with Other Tools

Combine with Timeline Analysis

# Create master timeline
{
  echo "=== COOKIES ==="
  python3 galleta.py cookies.dat | cut -d'|' -f4,1,2
  
  echo "=== OTHER ARTIFACTS ==="
  # Add other timeline data
} | sort > master_timeline.txt

Export for Database Storage

# Create SQL insert statements
python3 galleta.py cookies.dat -c | awk -F',' '{
  print "INSERT INTO cookies VALUES(\"" $1 "\", \"" $2 "\", \"" $3 "\");"
}' > cookies_sql.sql

# Import to database
sqlite3 evidence.db < cookies_sql.sql

Create Visual Report

# Generate statistics for report
{
  echo "=== COOKIE FORENSICS REPORT ==="
  echo "Total Cookies: $(python3 galleta.py cookies.dat | wc -l)"
  echo "Unique Domains: $(python3 galleta.py cookies.dat | cut -d'|' -f2 | uniq | wc -l)"
  echo ""
  echo "Top 10 Domains:"
  python3 galleta.py cookies.dat | cut -d'|' -f2 | sort | uniq -c | sort -rn | head -10
  echo ""
  echo "Date Range:"
  echo "First: $(python3 galleta.py cookies.dat | cut -d'|' -f4 | sort | head -1)"
  echo "Last: $(python3 galleta.py cookies.dat | cut -d'|' -f4 | sort | tail -1)"
} > forensic_report.txt

Best Practices

Practice	Description
Hash Evidence	Calculate MD5/SHA256 before analysis
Document Findings	Keep detailed notes of all analysis steps
Verify Timestamps	Confirm system timezone for accurate dates
Preserve Original	Make copies, never modify original evidence
Cross-Reference	Correlate with browser history and other artifacts
Report Thoroughly	Document all findings with evidence
Use Tools Correctly	Understand tool limitations and output format
Validate Results	Double-check suspicious findings

Resources

Documentation

# Galleta help
python3 galleta.py --help

# GitHub repository
# https://github.com/corkami/galleta

# DFIR resources
# https://www.dfir.training

Related Tools

# IE History analysis
foremost -i evidence.img -o output_dir

# Browser forensics
# Chromedumper, hindsight, browsing history view

# Timeline tools
mactime, log2timeline