Enumerate the users chrome cookies.
The cookies are typically encrypted by the DPAPI using the user’s credentials. Since Velociraptor is typically not running in the user context we cannot decrypt these. It may be possible to decrypt the cookies off line.
The pertinent information from a forensic point of view are the user’s Created and LastAccess timestamps, and the fact that the user has actually visited the site and obtained a cookie.
This artifact is deprecated in favor of
Generic.Forensic.SQLiteHunter and will be removed in future
name: Windows.Applications.Chrome.Cookies
description: |
Enumerate the users chrome cookies.
The cookies are typically encrypted by the DPAPI using the user's
credentials. Since Velociraptor is typically not running in the user
context we cannot decrypt these. It may be possible to decrypt the
cookies off line.
The pertinent information from a forensic point of view are the
user's Created and LastAccess timestamps, and the fact that the user
has actually visited the site and obtained a cookie.
## NOTES:
This artifact is deprecated in favor of
`Generic.Forensic.SQLiteHunter` and will be removed in future
parameters:
- name: cookieGlobs
default: \AppData\Local\Google\Chrome\User Data\*\Cookies
- name: cookieSQLQuery
default: |
SELECT creation_utc, host_key, name, value, path, expires_utc,
last_access_utc, encrypted_value
FROM cookies
- name: userRegex
default: .
type: regex
precondition: SELECT OS From info() where OS = 'windows'
sources:
- query: |
LET cookie_files = SELECT * from foreach(
row={
SELECT Uid, Name AS User,
expand(path=Directory) AS HomeDirectory
FROM Artifact.Windows.Sys.Users()
WHERE Name =~ userRegex
},
query={
SELECT User, OSPath, Mtime
FROM glob(root=HomeDirectory, globs=cookieGlobs)
})
SELECT * FROM foreach(row=cookie_files,
query={
SELECT timestamp(winfiletime=creation_utc * 10) as Created,
timestamp(winfiletime=last_access_utc * 10) as LastAccess,
timestamp(winfiletime=expires_utc * 10) as Expires,
host_key, name, path, value,
base64encode(string=encrypted_value) as EncryptedValue
FROM sqlite(
file=OSPath,
query=cookieSQLQuery)
})