# Firefox Cookies

## Overview

**Evidence:** Firefox Cookies\
**Description:** Collect Firefox Cookies\
**Category:** Applications\
**Platform:** windows\
**Short Name:** fcookies\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

Firefox cookies store session data, authentication tokens, user preferences, and tracking information. Cookies can persist across sessions and contain sensitive data including login credentials, API tokens, and user identifiers. Understanding cookie data is essential for investigating account compromises, tracking malicious domains, and identifying data exfiltration paths.

## Data Collected

This collector gathers structured data about firefox cookies.

### Firefox Cookies Data

| Field              | Description        | Example                   |
| ------------------ | ------------------ | ------------------------- |
| `UserName`         | User Name          | Example value             |
| `ProfileName`      | Profile Name       | Example value             |
| `OriginAttributes` | Origin Attributes  | Example value             |
| `Name`             | Name               | Example value             |
| `Value`            | Value              | Example value             |
| `Host`             | Host               | Example value             |
| `Path`             | Path               | Example value             |
| `IsSecure`         | Is Secure          | true                      |
| `IsHTTPOnly`       | Is HTTP Only       | true                      |
| `InBrowserElement` | In Browser Element | 123                       |
| `SameSite`         | Same Site          | 123                       |
| `RawSameSite`      | Raw Same Site      | 123                       |
| `SchemeMap`        | Scheme Map         | 123                       |
| `Expiry`           | Expiry             | 2023-10-15 14:30:25+03:00 |
| `LastAccessTime`   | Last Access Time   | 2023-10-15 14:30:25+03:00 |
| `CreationTime`     | Creation Time      | 2023-10-15 14:30:25+03:00 |

## Collection Method

This collector queries the Firefox cookies.sqlite database to extract cookie information including names, values, domains, paths, expiration times, security flags, and SameSite attributes for all user profiles.

## Forensic Value

Cookie data reveals visited websites, active sessions, authentication states, and tracking mechanisms. Malicious cookies may indicate session hijacking, credential theft, cross-site scripting attacks, or connections to command-and-control infrastructure. This evidence helps establish user activity timelines, identify compromised accounts, and track attacker access to web services.