ADS Zone.Identifier
Description: Whenever files are downloaded from the “Internet Zone” via a browser to a NTFS volume, an alternate data stream is added to the file. The alternate data stream is named “Zone.Identifier.”
Notes: Files with an ADS Zone.Identifier that contains ZoneID=3 were downloaded from the Internet:
- URLZONE_TRUSTED = ZoneID = 2
- URLZONE_INTERNET = ZoneID = 3
- URLZONE_UNTRUSTED = ZoneID = 4
Analysis: Overall, the use of alternate data streams has been going down but one of the
more common alternate data streams is known as the Zone.Identifier. Have you ever wondered
how some applications have the ability to warn you that a file was downloaded from the Internet? That's
because they are referencing the Zone.Identifier alternate data streams to confirm that a
file was downloaded from the Internet.
A simple way to identify alerternate data streams on your own workstation is too open up cmd.exe and run
dir /r from a directory where you downloaded a file from the Internet. The
/r switch lists files with alertnate data streams and then we can use notepad.exe to view
them.
We can also use FTK Imager, from AccessData to
review alternate data streams. This use case is much more likely in a real-world scernerio when you're
performing forensics. With a hard disk loaded into FTK Imager, select the file you would like to analyze. If
the file contains any alternate data streams, FTK Imager will list them within the File List.
