Google Analytics Cookies hold crucial digital forensic evidence

Research analysts at CCL-Forensics have forensically recovered vital internet history data from ‘cookies’ stored within a smartphone, which would not have been retrieved and interpreted using ‘standard’ forensic tools…In particular, cookies placed by the Google Analytics service yielded crucial evidence.

Using a number of internally-developed tools, the research and development team retrieved valuable data from more than 1000 cookies. The data contains information about the domain which placed the cookies, and the ‘value’ of the cookie itself. This ‘value,’ for cookies placed by Google Analytics, can yield timestamps, number of visits and crucially, referral information.

This means that the analyst can see details not only about the site which had been visited, but how the user got there. Where the user arrived at the site via a search engine, this can also include the search terms which led them to that page; this data may not exist anywhere else on the phone. With this evidence parsed, CCL-Forensics was able to produce a timeline for the law enforcement agency in question, demonstrating with much greater clarity the suspect’s internet usage – and crucially, the evidence of intent showing how the page was arrived at.

For more information about this technique please vist www.ccl-forensics.com, or contact Andy Holmes at: aholmes@ccl-forensics.com.

Leave a Comment