Additional Cookie Analysis with Galleta

View previous topic View next topic Go down

Additional Cookie Analysis with Galleta

Post  joetekno on Thu Apr 23, 2009 2:34 am

"Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program." Foundstone, Inc.

NSTALLATION

1. Download galleta, at the time of this writing it was found here: http://sourceforge.net/project/downloading.php?group_id=78332&filename=galleta_20040505_1.tar.gz

2. Save the file to your desktop

3. Double Click the galleta_20040505_1.tar.gz file to open it and drag the contents to the desktop

4. Open a terminal window

5. Become the root user (ie sudo su)

6. Maneuver to your CAINE users desktop. (ie cd /home/<username>/Desktop)

7. Maneuver into the galleta src directory. (ie cd galleta_20040505_1/src

8. Make the galleta source (ie "[root@linux /src]# make install")

NOTE: You may receive some warning messages. Ignore them...

9. Maneuver into the galleta bin directory. (ie cd ../bin)

10. Copy the galleta binary to the /sbin directory. (ie cp galleta /sbin/galleta


USAGE

If you have created an image file of the suspect hard drive you'll need to mount it to obtain the cookie files. (see Using CAINE and MMLS to mount an image of an NTFS drive). Either copy the contents or create a symbolic link to the Cookies directory. Type the command as follows:

galleta cookiefilename > cookie.txt

You could script analyzing multiple files like this... (NOT TESTED YET!):

#---BEGIN SCRIPT---
# Run this script in the directory where cookies files are located

ls > foundfiles.txt
LINES=`wc -l foundfiles.txt | cut -d " " -f 1`
COUNT=0
while [ $COUNT -lt $LINES ]; do
COUNT=$(( $COUNT + 1 ))
echo "galleta " >> pregalleta.txt
done

COUNT=0
while [ $COUNT -lt $LINES ]; do
COUNT=$(( $COUNT + 1 ))
echo ">> cookies.txt" >> postgalleta.txt
done

paste pregalleta.txt foundfiles.txt postgalleta.txt > dogalleta.sh
chmod 700 dogalleta.sh
./dogalleta.sh

less cookies.txt
#---END SCRIPT---

joetekno

Number of posts : 50
Località : Wisconsin, United States
Registration date : 2009-02-19

View user profile http://network.nwtc.edu

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum