The cookie examiner displays information relating to cookie entries and has been considerably enhanced. We also now have support for Google Analytics cookies where the component parts are extracted and displayed.
The window above shows a Google Analytics cookie for the Google domain. The fields under the “Original Value” show the various Google Analytic name/value pairs. Google Analytics cookies can contain a wealth of information which may be relevant to a forensic investigation.
Cookie values can also be examined and decoded. In the case above, the user has selected some data from the top pane (which represents the original cookie value) and has selected to decode the value as a Unix timestamp.
In the window above and below, the cookie value contains a version 1 Guid. This object has been broken down into its component parts by selecting the Guid type from the Decoding Functions tree.
The window above shows three cookie records from a Microsoft Internet Explorer cookie file.