galleta

galleta [-h] [-H] [-v] [cookiefile ...]

-h, --help
    Display usage help and exit

-H, --html
    Generate HTML-formatted output

-v, --verbose
    Enable verbose logging

Galleta is a specialized digital forensics utility for parsing and displaying cookies stored by Microsoft Internet Explorer on Windows systems. It decodes the proprietary binary format of IE cookie files, typically located at C:\Documents and Settings\<user>\Cookies\<name>.txt or similar paths.

Key extracted fields include: cookie name, value (URL-encoded), host/domain, path, expiration date/time, last access time, creation time, and secure/HTTP-only flags. Output is presented in a clean tabular format for easy analysis, aiding investigations into web activity, logins, tracking, and malware persistence.

Ideal for Linux forensics environments like Kali or SIFT, where Windows images are mounted via NTFS-3G. Supports batch processing of multiple files. Limitations: IE-specific; ignores modern browsers like Chrome (SQLite-based) or Firefox.

Supports only legacy IE cookies (not Edge/Chromium). Files must be intact from NTFS; corrupted files may fail. No support for encrypted or modern browser formats.

galleta Cookies/index.dat
Parses and lists all cookies in table format.

galleta -H *.txt > cookies.html
Generates browser-viewable report.

Created by Brendan Dolan-Gavitt (~2008) for forensics research at Drexel University. Integrated into SANS SIFT toolkit; stable with minor updates for compatibility.

icat(1), fls(1), strings(1)