Zone Identifier == kMDItemWhereFroms?

A couple weeks ago at Techno Security I saw a presentation about examining cloud storage applications such as Dropbox. Whilst the presentation was great, the main thing I noticed was that when the presenter selected a Zone Identifier ADS there was more than the usual ZoneID=3.

Finally decided to do a little bit more digging!

For background on Zone Identifiers, you can see the paper by Paul Sanderson here.

For my test, I took my currently installed versions of Chrome (67.0.3396.87), Firefox (60.0.2), IE (11.112.17134.0), and Edge (42.17134.1.0) and then saved the Google doodle off the Google homepage.

Using ‘dir /r’ you can see all the Alternate Data Streams for the files.

ads1

 

I have no idea why IE didn’t create an ADS for the file that I saved. I expected them all too.

Now, let’s take a look at the ADS; I used Notepad (turns out the type command didn’t work).

For example: notepad firefox.png:Zone.Identifier.

firefox_ads

Firefox shows us what we usually get. Nothing unusual here. ZoneId=3 is expected.

What about Edge?

edge_ads

That’s a bit different. Same ZoneID as expected, but also tells us which browser was used. This can be very useful in identifying where to look next.

(Side note: I also tested this with inPrivate browsing and got the same artefact. Also may help identify why you’re not finding browser history).

But Chrome is where things get way more interesting

chrome_ads

Here we can see where I downloaded the file from, and where it was stored online. It also may be helpful in identifying the browser history to look for.

You also get one from Gmail, but the data is a bit harder to identify. It’s entirely possible that the users Google ID is encoded in there somewhere. That could be really helpful.

Super useful, and very similar to the kMDItemWhereFroms extended attribute found on HFS+/APFS.

If anyone else wants to do some testing with their browsers then maybe we can build out the use cases where this occurs – in the quick test I did I only see it in Chrome. When did this begin!?

Maybe an idea for one of the new daily bloggers?

7 comments

  1. Interestingly, when downloading the streams.zip file using Edge, it included HostIpAddress. See below:

    [ZoneTransfer]
    HostIpAddress=117.18.232.200
    ZoneId=3
    ReferrerUrl=https://docs.microsoft.com/en-us/sysinternals/downloads/streams
    HostUrl=https://download.sysinternals.com/files/Streams.zip

    Like

      1. As I suggested to Jaco below, save the file to a non-default download location. I have duplicated this behaviour on Windows 10 Home, Pro and Enterprise. The versions of Home and Pro are 10.0.17134 Build 17134 and for Enterprise it is 10.0.16299 Build 16299.

        The LastWriterPackageFamilyName relates to the last Store App to write the file as well as a hint provided by the app as to what the trust level should be (see https://technet.microsoft.com/en-us/windows/mt243886(v=vs.60). This latter field is AppDefinedZoneID.

        Like

  2. FYI HostIpAddress, HostUrl, and ReferrerUrl are frequently seen in files accessed
    through SharePoint. That’s been happening for quite some time, though I don’t remember when I first saw it.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s