Additional Cookie Analysis with Galleta

Go down

Additional Cookie Analysis with Galleta Empty Additional Cookie Analysis with Galleta

Post  joetekno on Thu Apr 23, 2009 2:34 am

"Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program." Foundstone, Inc.


1. Download galleta, at the time of this writing it was found here:

2. Save the file to your desktop

3. Double Click the galleta_20040505_1.tar.gz file to open it and drag the contents to the desktop

4. Open a terminal window

5. Become the root user (ie sudo su)

6. Maneuver to your CAINE users desktop. (ie cd /home/<username>/Desktop)

7. Maneuver into the galleta src directory. (ie cd galleta_20040505_1/src

8. Make the galleta source (ie "[root@linux /src]# make install")

NOTE: You may receive some warning messages. Ignore them...

9. Maneuver into the galleta bin directory. (ie cd ../bin)

10. Copy the galleta binary to the /sbin directory. (ie cp galleta /sbin/galleta


If you have created an image file of the suspect hard drive you'll need to mount it to obtain the cookie files. (see Using CAINE and MMLS to mount an image of an NTFS drive). Either copy the contents or create a symbolic link to the Cookies directory. Type the command as follows:

galleta cookiefilename > cookie.txt

You could script analyzing multiple files like this... (NOT TESTED YET!):

# Run this script in the directory where cookies files are located

ls > foundfiles.txt
LINES=`wc -l foundfiles.txt | cut -d " " -f 1`
while [ $COUNT -lt $LINES ]; do
COUNT=$(( $COUNT + 1 ))
echo "galleta " >> pregalleta.txt

while [ $COUNT -lt $LINES ]; do
COUNT=$(( $COUNT + 1 ))
echo ">> cookies.txt" >> postgalleta.txt

paste pregalleta.txt foundfiles.txt postgalleta.txt >
chmod 700

less cookies.txt

Number of posts : 50
Località : Wisconsin, United States
Registration date : 2009-02-19

Back to top Go down

Back to top

Permissions in this forum:
You cannot reply to topics in this forum