HTTP Cookies – Part 1 – Internet Explorer and Microsoft Edge

Posted on April 23, 2016 by HatsOffSecurity

Finding Internet Explorer/Edge Cookies (Windows 7-10… possibly Vista, but who uses Vista?!)

Microsoft introduced a cool new way of finding your cookies. From the Run prompt or any Explorer window type “shell:cookies” and you will be taken to the Cookies location. Like a Windows Hearthstone 🙂

Location of Cookies

Just in case you want to do it the old fashioned way…

Windows 10
%LocalAppData%\Microsoft\Windows\INetCookies

Windows 8.1
%LocalAppData%\Microsoft\Windows\INetCookies

Windows 8
%AppData%\Microsoft\Windows\Cookies

Windows 7
%AppData%\Microsoft\Windows\Cookies

As you can see there was a shift from Windows 8 to 8.1. the “Roaming” folder was designed around “Roaming Profiles”, these are used in some domain environments and allow users to have things like Desktop icons and favourites when they move to a new machine.

I would suspect one of the reasons for moving them to “Local” would be because of all of the tracking cookies and other nasties that can reside there. You are basically offering free lateral movement to an attacker if they managed to get some clever attack based around cookies.

Speaking of which….

“Low” Folders

The “Low” folder was introduced in Vista to allow for browsers to run and contain certain artefacts in a segregated place.

Removing Cookies

Like most HTTP cookies these can be removed easily via the browser.

Edge

  • Click on the ” . . . ” button in the top right of the screen.
  • Click on Settings – Or press Ctrl + Shift + Del to jump to this step
  • Under the heading “Clear browsing data” press the button “Choose what to clear”
  • Ensure “Cookies and saved website data” is selected
  • Press “Clear”

Internet Explorer

  • Press Alt to bring up the menu options and go to “Tools”. Or go to “Tools” from the tool bar.
  • Go to “Internet Options”
  • Under the “General” tab, under the “Browsing History” sub-section, click “Delete” to bring up the options page – Or press press Ctrl + Shift + Del to jump to this step
  • Select the appropriate tick boxes.

Windows 7’s Internet Explorer has a lot more inverted options. For example you can keep a box ticked to keep some cookies whilst ticking another box on the same page to remove other cookies. By default removal of the “Do Not Track” cookies is ticked.

Things got a lot simpler by Windows 10.

This entry was posted in Browser Forensics, Cookies, Internet Explorer, Microsoft Edge and tagged , , , , , , , , , , . Bookmark the permalink.

Leave a comment