Forensicsforensicsinternet-explorercookiesmsie

galleta

Galleta is a forensics tool for analyzing Microsoft Internet Explorer cookie files. It parses the cookie content and outputs it in a field-separated format suitable for spreadsheets.

Description

Galleta is designed specifically for forensic examination of cookie files generated by Microsoft Internet Explorer (MSIE). It processes these files to extract structured data, making it useful for digital investigations where browser activity evidence is needed.

Use cases include incident response, malware analysis involving browser artifacts, and general forensic triage of Windows systems with IE usage. The output format allows easy import into tools like spreadsheets for further review and reporting.

The tool is lightweight, with an installed size of 31 KB, and depends only on libc6, ensuring minimal overhead in forensic toolkits like Kali Linux.

How It Works

Galleta reads MSIE cookie files, parses their proprietary format, and extracts fields such as cookie name, value, domain, path, expiration, and other attributes. It outputs the parsed data using a user-specified field delimiter (TAB by default), enabling structured analysis. The tool handles file opening and validation, reporting errors if the cookie file cannot be accessed.

Installation

bash

sudo apt install galleta

Flags

-dField Delimiter (TAB by default)

-hShows usage help (results in error if no file provided)

Examples

Reads file.txt and outputs the content using ; as Field Delimiter.

galleta -d";" file.txt

Parses the cookie file with default TAB delimiter.

galleta file.txt

Uses comma as field delimiter for CSV-like output.

galleta -d, file.txt

Parses cookies.txt using pipe as field delimiter.

galleta -d '|' cookies.txt

Displays help and usage information.

galleta -h

Uses space as field delimiter for output.

galleta -d ' ' file.txt

Updated 2026-04-16kali.org ↗