top of page
Search

Digging into Google Analytics & HubSpot Cookies for Forensics

  • Jun 20
  • 4 min read
ree

You know how Google knows what you were thinking before you even typed it? That’s not magic—it’s analytics. Google Analytics and marketing tools like HubSpot leave behind tracking cookies on devices, and guess what? These aren’t just marketing gold—they're digital breadcrumbs that we, as forensic investigators, can use to understand a user’s activity.

Let’s break this down like we’re sitting together at a DFIR roundtable.


So, What Are These Cookies and Why Do We Care?

Google Analytics sets a bunch of cookies that track a user’s interaction with a website. While this helps advertisers figure out where users are coming from and what they do on the site, it also helps us in incident response and digital forensics.


The main players in Google’s tracking cookie lineup are:

  • __utma

  • __utmb

  • __utmz


(And a few others like utmc, utmt... but let’s keep our eye on the forensic prize.)


These cookies are part of what used to be called the Urchin Tracking Module (UTM)—a tech acquired by Google back in 2005.

Dissecting the __utma Cookie

This one’s a long-liver—with a 2-year expiration date—and super valuable for us. It tells a detailed story about the user's visits to a site.

Here’s the format:

__utma=<domain hash>.<unique user ID>.<first visit timestamp>.<previous visit timestamp>.<current visit timestamp>.<number of visits>

Example:

__utma = 57409013.9999999999.1600000000.1700000000.1710000000.10

Translation:

  • 57409013: Domain hash (keep it the same if on same domain)

  • 9999999999: New unique user ID (any random long number)

  • 1600000000: First visit (timestamp for ~2020)

  • 1700000000: Previous visit (timestamp for ~2023)

  • 1710000000: Current visit (timestamp for ~2024)

  • 10: Now it looks like this user has visited 10 times



Why this matters:

This gives us a timeline for a user across visits and helps identify repeat behavior. Just keep in mind—different browsers, private mode, or cookie clearing resets this data. So multiple values can exist for the same human.



Meet __utmb: The Session Timer

This one’s short-lived—just 30 minutes! It’s all about tracking sessions.

__utmb=<domain hash>.<page views>.<outbound link countdown>.<timestamp>

Example:

__utmb = 57409013.1.10.1720000000
If a user clicks a phishing link, for example, and it triggers some malicious activity, this cookie might help us zero in on when that session started.


Meet__utmz: The User’s Path

Think of this one as the referral detective. It lasts 6 months and shows how the user landed on the site.

__utmz=<domain hash>.<timestamp>.<visit counter>.<source counter>.<source/campaign/medium/search term>

Example:

__utmz=57409013.1349969023.3.2.utmcsr=rss1.0mainlinkanon|utmccn=...
or
__utmz=57409013.1746076800.4.3.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=buy%20headphones|utmcct=/

This can tell us if they came from

  • 57409013 = same domain hash

  • 1746076800 = timestamp for May 1, 2025

  • 4 = this is the user's 4th visit

  • 3 = their 3rd different traffic source

  • utmcsr=google = source: Google

  • utmccn=(organic) = campaign: organic search

  • utmcmd=organic = medium: organic (vs. referral or direct)

  • utmctr=buy headphones = search keyword

  • utmcct=/ = landed on homepage


Why it’s useful:

If you’re investigating malware that was delivered via a malvertising campaign or a specific site, this helps reconstruct the user's path.


------------------------------------------------------------------------------------------------------------


Beyond Google: HubSpot Cookies Are Forensic Gold Too

Alright, so not every site uses Google Analytics. Some go with tools like HubSpot, especially in marketing-heavy environments.


The key HubSpot cookies:

  • __hstc

  • hubspotutk

  • hsfirstvisit


Meet __hstc: HubSpot's Main Tracker

This one sticks around for 2 years and tracks repeat visits:

__hstc=<domain hash>.<visitor ID>.<first visit>.<previous visit>.<current visit>.<visit count>

Example:

__hstc=104275039.abc1234567890abcdef9876543210abcd.1704067200000.1743465600000.1748649600000.5

You’ve got:

Part

Value

Meaning

Domain Hash

104275039

A numeric identifier for your domain, hashed internally by HubSpot.

Visitor ID

abc1234567890abcdef9876543210abcd

A unique ID for the visitor. Looks like an MD5 hash. This is used to identify return visits from the same browser/device.

First Visit Timestamp

1704067200000

This is in Unix milliseconds → corresponds to Jan 1, 2024. Marks the first time this user visited the site.

Previous Visit Timestamp

1743465600000

This corresponds to April 1, 2025. Marks the second-most-recent visit.

Current Visit Timestamp

1748649600000

This corresponds to May 31, 2025. Marks the current visit.

Visit Count

5

This is the 5th time the visitor has come to the site.

 Forensics win:

These values give us insight into visit behavior across time, just like Google Analytics, but from a different provider—which might not be blocked or deleted as often.



hubspotutk: The Long-Lived Fingerprinter

This one is wild—it’s valid for 10 years.

Even though its internal structure isn’t documented, this unique value can help us correlate activities across visits and sessions.


If we find the same hubspotutk in different cookies across different websites, we may be able to link activity to the same user device.


hsfirstvisit: First Contact

Also has a 10-year expiration. It shows:

  • How the user got to the site on their first visit

  • A long UNIX-style timestamp (just chop off the last 3 digits to convert)

Example:

$ date -u -d @1672574400000
date -u -d "2023-01-01 12:00:00" +%s
 This might tie the user’s first visit to a job posting or email link—even if the page is no longer online.

------------------------------------------------------------------------------------------------------------


Why This Matters in Investigations

These tracking cookies can:

  • Help build timelines of activity

  • Correlate a device/user across domains

  • Identify the entry point in phishing or exploit delivery

  • Highlight repeat behavior or anomalous browsing


But remember:

  • They’re browser- and session-specific

  • Private mode or cookie clearing wipes them

  • Different browsers = different cookie stores


So always combine with browser history, cache, web artifacts, and tools like:

  • Plaso/log2timeline

  • Browser History Capturer

  • KAPE with browser modules



------------------------------------------------------------------------------------------------------------

Wrapping Up

Tracking cookies like utma, utmz, and __hstc are often overlooked in forensic investigations. But when interpreted correctly, they provide valuable context that complements log files and system artifacts.

So next time you're staring at a blob of cookie data, take a closer look—it might just lead you to a breakthrough in your case.

-----------------------------------------Dean-----------------------------------------------


 
 
 

Comments

bottom of page