Firefox Cookies

Overview

Evidence: Firefox Cookies
Description: Collect Firefox Cookies
Category: Applications
Platform: linux
Short Name: fcookies
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Firefox cookies store session data, authentication tokens, user preferences, and tracking information. Cookies can persist across sessions and contain sensitive data including login credentials, API tokens, and user identifiers. Understanding cookie data is essential for investigating account compromises, tracking malicious domains, and identifying data exfiltration paths.

Data Collected

This collector gathers structured data about firefox cookies.

Firefox Cookies Data

Field	Description	Example
`UserName`	User Name	Example value
`ProfileName`	Profile Name	Example value
`OriginAttributes`	Origin Attributes	Example value
`Name`	Name	Example value
`Value`	Value	Example value
`Host`	Host	Example value
`Path`	Path	Example value
`IsSecure`	Is Secure	true
`IsHTTPOnly`	Is HTTP Only	true
`InBrowserElement`	In Browser Element	123
`SameSite`	Same Site	123
`RawSameSite`	Raw Same Site	123
`SchemeMap`	Scheme Map	123
`Expiry`	Expiry	2023-10-15 14:30:25+03:00
`LastAccessTime`	Last Access Time	2023-10-15 14:30:25+03:00
`CreationTime`	Creation Time	2023-10-15 14:30:25+03:00

Collection Method

This collector queries the Firefox cookies.sqlite database to extract cookie information including names, values, domains, paths, expiration times, security flags, and SameSite attributes for all user profiles.

Forensic Value

Cookie data reveals visited websites, active sessions, authentication states, and tracking mechanisms. Malicious cookies may indicate session hijacking, credential theft, cross-site scripting attacks, or connections to command-and-control infrastructure. This evidence helps establish user activity timelines, identify compromised accounts, and track attacker access to web services.