Chrome Cookies - macOS Forensic Artifacts

Overview

Chrome stores cookies in a SQLite database named Cookies within each profile directory. On macOS, cookie values are encrypted using a key stored in the macOS Keychain, meaning the raw database contains encrypted blobs rather than plaintext values. However, the cookie metadata -- domain, name, path, creation time, expiry, flags -- is stored in cleartext and provides significant forensic value.

Cookies reveal which websites a user has authenticated to, when sessions were established, and which third-party trackers are present. The encryption status itself is informative: encrypted values indicate active cookie data, while empty values may indicate cleared or expired cookies.

File Locations

File	Path
Cookies database	`~/Library/Application Support/Google/Chrome/{Profile}/Cookies`
Journal file	`~/Library/Application Support/Google/Chrome/{Profile}/Cookies-journal`

Database Schema

cookies Table

CREATE TABLE cookies (
    creation_utc INTEGER NOT NULL,           -- WebKit timestamp
    host_key TEXT NOT NULL,                  -- Domain (e.g., ".example.com")
    top_frame_site_key TEXT NOT NULL,        -- Top-level site for partitioned cookies
    name TEXT NOT NULL,                      -- Cookie name
    value TEXT NOT NULL,                     -- Plaintext value (empty when encrypted)
    encrypted_value BLOB DEFAULT '',         -- Encrypted cookie value
    path TEXT NOT NULL,                      -- URL path scope
    expires_utc INTEGER NOT NULL,            -- Expiration (WebKit timestamp)
    is_secure INTEGER NOT NULL,              -- HTTPS-only flag
    is_httponly INTEGER NOT NULL,            -- JavaScript-inaccessible flag
    last_access_utc INTEGER NOT NULL,        -- Last access (WebKit timestamp)
    has_expires INTEGER NOT NULL DEFAULT 1,  -- Whether cookie has expiry
    is_persistent INTEGER NOT NULL DEFAULT 1,-- Whether stored on disk
    priority INTEGER NOT NULL DEFAULT 1,     -- Cookie priority
    samesite INTEGER NOT NULL DEFAULT -1,    -- SameSite policy
    source_scheme INTEGER NOT NULL DEFAULT 0,-- Scheme that set the cookie
    source_port INTEGER NOT NULL DEFAULT -1, -- Port that set the cookie
    last_update_utc INTEGER NOT NULL DEFAULT 0, -- Last update (WebKit timestamp)
    source_type INTEGER NOT NULL DEFAULT 0,
    has_cross_site_ancestor INTEGER NOT NULL DEFAULT 0
);

meta Table

Contains database version metadata.

CREATE TABLE meta (
    key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY,
    value LONGVARCHAR
);

Key Fields for Analysis

host_key: The domain that set the cookie. Prefixed with . for domain-wide cookies (e.g., .google.com). This reveals which sites the user has interacted with.
name: The cookie name. Well-known names like SID, SSID, APISID, SAPISID indicate Google authentication. Session cookies like PHPSESSID, session_id, or _session indicate active login sessions.
creation_utc: When the cookie was first created, establishing when the user first visited the site.
last_access_utc: When the cookie was last sent to the server, indicating recent activity.
expires_utc: When the cookie expires. Session cookies have has_expires = 0.
encrypted_value: The encrypted cookie data. The size of this blob can indicate whether it contains meaningful data.
is_secure: If true, the cookie is only sent over HTTPS connections.
is_httponly: If true, the cookie cannot be accessed via JavaScript, suggesting it is a security-sensitive session token.
samesite: The SameSite attribute controlling cross-site cookie behaviour.
top_frame_site_key: For partitioned cookies (Privacy Sandbox), indicates the top-level site context.

SameSite Values

Value	Name	Description
-1	Unspecified	No SameSite attribute set
0	None	Sent in all contexts (cross-site)
1	Lax	Sent on top-level navigations only
2	Strict	Never sent cross-site

Priority Values

Value	Name
0	Low
1	Medium
2	High

Source Scheme Values

Value	Name
0	Unset
1	Non-secure (HTTP)
2	Secure (HTTPS)

Timestamps

Field	Format	Notes
`creation_utc`	WebKit	When cookie was first created
`expires_utc`	WebKit	Expiration time (0 or absent for session cookies)
`last_access_utc`	WebKit	Most recent use of the cookie
`last_update_utc`	WebKit	Most recent modification (Chrome 110+)

Analysis Notes

On macOS, Chrome encrypts cookie values using the macOS Keychain. The key is stored under service name Chrome Safe Storage with account name Chrome. Decryption uses AES-128-CBC with PBKDF2 key derivation (1003 iterations, SHA1, IV of 16 space characters 0x20).
macfor collects encrypted values without decryption. The value_preview field reports the encrypted data size (e.g., [ENCRYPTED - 64 bytes]) or notes if the value is plaintext or empty.
Cookies with is_httponly = 1 and is_secure = 1 are typically authentication session tokens and are high-value forensic targets.
The host_key field, combined with creation_utc, provides a timeline of when the user first visited each domain.
Expired cookies (expires_utc in the past) may still be present in the database and indicate historical activity.
Third-party tracking cookies (domains like .doubleclick.net, .facebook.com appearing across many top_frame_site_key values) can reveal cross-site browsing patterns.

Version Differences

Version	Change
Chrome 80	Baseline schema
Chrome 80+	`top_frame_site_key` added for cookie partitioning
Chrome 94+	`source_scheme` and `source_port` columns added
Chrome 110+	`last_update_utc` column added
Chrome 114+	`has_cross_site_ancestor` column added

macfor dynamically detects available columns and uses defaults for missing ones.

Tool Support

Tool	Capability
macfor	Collects raw database plus journal, parses metadata without decrypting values
DB Browser for SQLite	Manual inspection of cookie metadata
ChromeCookiesView (NirSoft)	Windows tool for viewing Chrome cookies
Hindsight	Includes cookie metadata in Chrome analysis