Windows.Applications.Chrome.Cookies

Enumerate the users chrome cookies.

The cookies are typically encrypted by the DPAPI using the user’s credentials. Since Velociraptor is typically not running in the user context we can not decrypt these. It may be possible to decrypt the cookies off line.

The pertinant information from a forensic point of view is the user’s Created and LastAccess timestamp and the fact that the user has actually visited the site and obtained a cookie.

NOTES:

This artifact is deprecated in favor of Generic.Forensic.SQLiteHunter and will be removed in future


name: Windows.Applications.Chrome.Cookies
description: |
  Enumerate the users chrome cookies.

  The cookies are typically encrypted by the DPAPI using the user's
  credentials. Since Velociraptor is typically not running in the user
  context we can not decrypt these. It may be possible to decrypt the
  cookies off line.

  The pertinant information from a forensic point of view is the
  user's Created and LastAccess timestamp and the fact that the user
  has actually visited the site and obtained a cookie.

  ## NOTES:

  This artifact is deprecated in favor of
  Generic.Forensic.SQLiteHunter and will be removed in future

parameters:
  - name: cookieGlobs
    default: \AppData\Local\Google\Chrome\User Data\*\Cookies
  - name: cookieSQLQuery
    default: |
      SELECT creation_utc, host_key, name, value, path, expires_utc,
             last_access_utc, encrypted_value
      FROM cookies
  - name: userRegex
    default: .
    type: regex

precondition: SELECT OS From info() where OS = 'windows'

sources:
  - query: |
        LET cookie_files = SELECT * from foreach(
          row={
             SELECT Uid, Name AS User,
                    expand(path=Directory) AS HomeDirectory
             FROM Artifact.Windows.Sys.Users()
             WHERE Name =~ userRegex
          },
          query={
             SELECT User, OSPath, Mtime
             FROM glob(root=HomeDirectory, globs=cookieGlobs)
          })

        SELECT * FROM foreach(row=cookie_files,
          query={
            SELECT timestamp(winfiletime=creation_utc * 10) as Created,
                   timestamp(winfiletime=last_access_utc * 10) as LastAccess,
                   timestamp(winfiletime=expires_utc * 10) as Expires,
                   host_key, name, path, value,
                   base64encode(string=encrypted_value) as EncryptedValue
            FROM sqlite(
              file=OSPath,
              query=cookieSQLQuery)
          })