The cookie examiner displays information relating to cookie entries and has been considerably enhanced. We also now have support for Google Analytics cookies where the component parts are extracted and displayed.
The window above shows a Google Analytic's cookie. The fields under the “Original Value” show the various Google Analytic name/value pairs. Google Analytic's cookies can contain a wealth of information which may be relevant to a forensic investigation.
Cookie values can also be examined and decoded. In the case above, the user has selected some data from the top pane (which represents the original cookie value) and has selected to decode the value as a Unix timestamp.
In the window above and below, the cookie value contains a version 1 Guid. This object has been broken down into its component parts by selecting the Guid type from the Decoding Functions tree.
The above window shows another example of a version 1 Guid.
The window above shows three Google Analytic cookie records from a Microsoft Internet Explorer cookie file.