How We Parse Safari's Binary Cookie Format
A technical deep-dive into Safari's proprietary binarycookies format and how macfor extracts forensic evidence from it.
Safari stores cookies in a proprietary binary format that differs significantly from the SQLite databases used by other browsers. Understanding this format is essential for forensic analysis.
The Binary Cookie File Structure
Safari's Cookies.binarycookies file uses a custom binary format with the following structure:
- Magic bytes:
cook(4 bytes) - Number of pages: Big-endian uint32
- Page sizes: Array of big-endian uint32
- Pages: Variable-length cookie data
Each page contains multiple cookies with their metadata.
Parsing Strategy
Our parser handles several edge cases that aren't immediately obvious from examining the file format:
Endianness Switching
The file header uses big-endian byte order, but individual cookie records switch to little-endian. This caught us off guard initially.
// Header is big-endian
numPages := binary.BigEndian.Uint32(data[4:8])
// Cookie records are little-endian
expiry := binary.LittleEndian.Uint64(record[offset:])
Cookie Flags
Safari encodes cookie attributes in a flags field:
| Bit | Attribute | |-----|-----------| | 0 | Secure | | 2 | HttpOnly | | 3 | Unknown (always set) |
Forensic Implications
The binary format preserves several forensically valuable fields:
- Creation time: When the cookie was first set
- Expiration time: When the cookie expires
- Domain scope: Which domains can access the cookie
- Path restrictions: URL paths the cookie applies to
Implementation in macfor
Our implementation handles corrupted files gracefully, extracting as many valid cookies as possible before the corruption point.
Conclusion
Binary formats require careful attention to byte order and structure alignment. The macfor Safari plugin handles these complexities automatically, providing clean JSON output for analysis.
For more details, see the Safari artifact documentation.