Cookies are often seen as the poor cousin of digital evidence, but they can provide a wealth of information for digital investigators – including how often, from where and how a user visited a certain site – as well as the search terms used to find it.
So how can we access this treasure trove of knowledge?
By using a piece of software called dunk! which covers all the main PC internet browsers (Chrome, Firefox, Safari, IE, etc.) and a wide range of mobile browsers.
The inspiration for dunk! came after conducting an examination of an iPhone during which we found that evidence for the web history and cache was thin on the ground – although we were getting some interesting key word hits in the cookies.
Previously, analysts had been dumping cookies into a straightforward table view, but not looking at the structure of the cookies’ values. However, in this case all the interesting key words fell inside what were found to be Google Analytics cookies. The nice thing about these cookies was that, unlike many cookies where the structure is proprietorial, these were consistent between all sites and contained really interesting insights into a user’s web activity.
We wrote a program enabling us to view all the cookies at once, and where known structures (such as Google Analytics) were found, automatically parse them – and we designed it to support as many browsers as possible.
But that’s not all it does; dunk! can detect session cookies which may contain usernames, email addresses, and sometimes even passwords, allowing investigators to build the fullest picture possible of browsing habits.
The interface allows the data to be filtered, searched and exported. In a nutshell, the software does the following:
- Processes cookies from PCs and mobile devices
- Internet Explorer 5+
- Mozilla Firefox 3.x
- Mozilla Firefox 4.0
- Google Chrome
- Safari browser
- Opera 5+
- Apple “binarycookies” format
- Android browser
- Flash cookies
- Nokia 40 browser
- Parses Google Analytics cookies
- Parses Adobe Flash cookies
- Enables investigators to search and filter evidence
- Detects session cookies which may contain usernames, email addresses, etc.
- Outputs to TSV and XML file formats
Open the cookie jar and take a detailed look at what’s inside.