Cookie File Forensics: Types and Directives Explained

What are File Cookies and What Information Do They Store?

In essence, file cookies are smaller text files various websites may place on a user’s computer or smart device. Depending on the user’s browser, there’s a designed file path or folder where these are stored (more on this later when we’ll cover where each popular browser stores them).

Cookies can store a myriad of information (whatever the website chooses to store as a variable).

This can be:

• Login Status
• Locale
• Email address
• Home address
• Telephone number
• etc.

However, note that not all cookies will necessarily store all of the above. For example, a cookie can only be used to track whether a user is logged in or not, so the website that placed it on their computer knows whether to display a personalized or a general version of its content.

At their core, cookie files are nothing more than text files that store variables.

The Main Uses of File Cookies

Cookies are mainly used for the following 3 reasons:

• Tracking: an eCommerce store might suggest additional items a user should buy based on their previous purchases.

• Session management: once a user logs into an online account, the website places a cookie on their computer or smart device for the purposes of “remembering” them and not having to ask for authentication again.

• Personalization: to serve relevant ads that are custom-tailored to the user’s interests and preferences, a website can serve personalized cookies. These can also be used for the purpose of reporting and frequency capping.

Main Differences to Note: 6 Cookie Types Explained

There are different cookie types every digital forensics and law enforcement examiner should be familiar with.

Session cookies

Session cookies are one of the most common cookie types that are used for the website to “remember” a user for the entire duration of the ongoing session (in other words, until the user decides to leave the website).

After that, the session cookie is deleted. Hence, these types of cookies are also referred to as non-persistent cookies.

To give a practical example, notice how certain eCommerce stores allow you to place items into the shopping cart without necessarily requiring you to create an account beforehand.

This is only possible due to session cookies – without them, the shopping cart would empty itself every time a user were to click on another webpage, product category, or other section of the website.

Session cookies play a vital role in eCommerce.

First-party Cookies

First-party cookies are the typical login cookies that allow a website to remember who you are and give you access to the personal area of the website (including private messages, settings, order history, and so forth). They are also used for the purpose of tweaking the website’s appearance based on the user’s settings (such as localization).

The key point to remember is that first-party cookies are persistent in nature, meaning they will remain on the user’s device until they are either deleted, deactivated, or reach their expiration date.

Additionally, first-party cookies can also be used for the purposes of data analytics and optimizing the user experience.

First-party cookies store your language settings.

Third-party Cookies

Unlike first-party cookies, third-party cookies are one of the cookie types that get placed on the user’s device by a website other than the one that’s currently open. Their intended purpose is to track the user’s browsing activity.

Examples include:

• Serving ads
• Tracking
• Retargeting

Keep in mind that certain browsers like Mozilla Firefox and Apple Safari are configured to block third-party cookies by default to prevent cross-site tracking.

Other mainstream browsers tend to allow a user to block them as well, but this requires manual configuration on the user’s end.

In criminal investigation cases involving cookie forensics, it’s crucial to know that the presence of a third-party cookie on the device does not necessarily signal that the suspect has intentionally accessed the website the cookie came from – the presence of the cookie could be a side-effect of browsing a completely innocent website.

Hence, an investigator analyzing this type of digital evidence in criminal investigations needs to take the above into consideration before drawing any kind of conclusions.

Third-party cookies are often placed by ads.

Persistent Cookies

Also referred to as perma-cookies, persistent cookies tend to stay on one’s device until they’re made invalid after reaching their expiration date. They are placed on the user’s device by the website and can store various types of information such as:

• Usernames
• Settings
• Preferences
• Locale
• etc.

Since they are used for the purpose of tracking a user’s activity and behavioral patterns on the website they’re visiting, they are also referred to as tracking cookies.

Unlike session cookies, they will not be erased when a user closes the website or navigates away (however, keep in mind there is an expiration date attached to them).

Persistent cookies are often used for the purpose of tracking users.

Secure Cookies

If you’ve ever visited a website with an HTTPS protocol, you’ve likely received a secure cookie.

Connecting over HTTPS means that your connection is encrypted and thus making it harder to eavesdrop on and it also means that any cookies placed on your device are harder to steal.

Since the vast majority of websites are using the secure HTTPS protocol, this is the golden standard and what you’re the most likely to encounter during the process of digital forensic investigation.

Secure cookies are harder to spy on.

Super Cookies

Also known as zombie cookies and ever-cookies, super cookies are actually not cookies in the traditional sense of the word.

Rather, they are bits and pieces of code that are embedded in another object.

While traditional cookies are essentially text files, super cookies can come in the form of:

• Images
• Local shared objects
• HTML5 web storage
• etc.

They tend to be super-sticky in nature – these sticky cookie types will recreate themselves even after the originals have been deleted.

HTML5 objects can act as sticky cookies.

Where Do Browsers Store Cookies?

During the computer forensics investigation process, it’s important to note that every browser has a different file path.

This way, you’ll know exactly where to search for the exact cookie types that are relevant to the investigation.

Chrome

Google Chrome uses a simple SQLite database to store the browser cookies in the following file path:

C:\Users\[User Name]\AppData\Local\Google\Chrome\User Data\Default\

Firefox

Like Google Chrome, Firefox also stores its browser cookies in an SQLite database that’s located in the following file path:

C:\Users\[User Name]\AppData\Local\Mozilla\Firefox\Profiles\

Safari

Unlike some of the other browsers, Apple Safari stores the browser cookies in an XML file:

/Libraries/Cookies/Cookies.plist

Internet Explorer

For IE, it’s important to note what operating system the computer is running. As you’ll see from the file paths below, it’s slightly different for each:

Earlier versions of Windows: C:\Users\[User Name]\AppData\Microsoft\Windows\Cookies\Low

Windows 7: C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies

Windows 8: C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies

Windows 10: C:\Users\username\AppData\Local\Microsoft\Windows\INetCookies

Suspects Can Clear Their Cache As an Attempt to Conceal Their Browsing History

No cookie that’s placed on a user’s device is 100% resistant to deletion.

In fact, wiping them can be as easy as navigating to a browser’s settings section and clearing the cache and browsing history.

Doing so will log the user out of any accounts.

It will also:

• Remove temporary files
• Clear the cookies
• Delete the browsing history

The main purpose of caching a website’s content is to optimize resources. The reason being is that certain parts of a given website tend to be static in nature, meaning that they don’t change over time or adapt to who is viewing them.

To conserve server resources and bandwidth, it makes sense to store them locally inside a user’s cache instead of having to re-download everything whenever a user re-visits the website or clicks through to another web page.

Based on what you’ve learned above, you can see why a computer forensics investigation process also covers the examination of browser cookies that may be present on the suspect’s device and why they have an incentive to clear them if they’re guilty of browsing websites with illegal content.

Can There Be an Innocent Reason for Clearing the Cache?

The answer is yes.

In fact, everyone who is at least somewhat tech-savvy will probably have to do it at some point.

Over time, a cache tends to get bloated and stuffed with large multimedia files such as:

• Videos
• Images
• Music

Once it gets too big, performance is expected to decrease, and clearing the cache is the easy solution to get it back to optimal levels.

Possible Reasons to Clear the Cache

Possible reasons why someone might decide to clear the cache include:

1. Maximizing performance

A cache that gets too big can take up a lot of space on the hard drive and make things take longer to load.

This can slow down the browsing experience quite a bit – deleting it can restore the performance back to the way it was.

2. Maintaining privacy and security

In case a user is using a public computer to take care of personal business, it’s a good practice to log out and clear the cookies afterward.

Otherwise, the user could get exposed to eavesdropping, data theft, and unauthorized access by a third party, not to mention giving away the information regarding what pages the user has viewed.

3. Fixing browser errors

Sometimes, the cache is to blame for a myriad of browser errors, with the only solution being to clear it.

A feature on a page may completely bug out until the point you’ve cleared out the cache or perhaps the website may refuse to load fresh content until you’ve cleared it.

Specialized Digital Forensics Tools Make It Easy to Recover Cookies Even If They Get Deleted

Sometimes, criminals will attempt to hide their browser history and online activity by wiping cookies from their computers.

To make the process of recovery more efficient and streamlined, law enforcement and digital forensics professionals from all around the world swear by DRS by SalvationDATA, a cutting-edge data recovery tool that allows anyone to perform advanced cookie file retrieval operations regardless of their level of experience or technical proficiency.

It will not only help you retrieve all cookie types, but also get the job done irrespective of what operating system is in use on the target device, whether it be Mac, Linux, Windows, or other.

In fact, it will also have a high rate of success even if the hard drive is damaged or has bad sectors on it. By entering the right keywords, it can pull up the right cookies in a matter of seconds.

About GDPR - the European Cookie Directive

Finally, a couple of words on GDPR, the European cookie directive that shook things up on the internet in 2018.

In essence, it’s a privacy and security law aimed at regulating how organizations treat the personal data of Europeans. One of its strict provisions is to ask for permission whenever personal data is being collected and obtain consent from the user – this includes cookies.

Failing to comply can result in astronomical fines that can go well into the millions of Euros.

The law has the extra-territorial effect, meaning it also affects organizations outside of the EU.

Non-compliance with GDPR can yield steep fines.

Other Privacy Regulations Related to Cookies

Another law similar to GDPR is California’s Consumer Privacy Act (or CCPA for short). To comply, companies serving Californian citizens must:

• Give them the option to revoke their personal information
• Give them the right to know what information is collected
• Give them the right to non-discrimination

Conclusion

Being able to differentiate between these cookies will help a great deal during the digital investigation process and point you in the right direction if you’re looking for a particular clue to crack the case.

With the right knowledge and computer forensic software tools, you will have everything that’s necessary to navigate your way through all sorts of cookie types and determine the suspect’s browsing history even if they’ve made an effort to delete or otherwise conceal it.