A couple weeks ago at Techno Security I saw a presentation about examining cloud storage applications such as Dropbox. Whilst the presentation was great, the main thing I noticed was that when the presenter selected a Zone Identifier ADS there was more than the usual ZoneID=3.
Finally decided to do a little bit more digging!
For background on Zone Identifiers, you can see the paper by Paul Sanderson here.
For my test, I took my currently installed versions of Chrome (67.0.3396.87), Firefox (60.0.2), IE (11.112.17134.0), and Edge (42.17134.1.0) and then saved the Google doodle off the Google homepage.
Using ‘dir /r’ you can see all the Alternate Data Streams for the files.
I have no idea why IE didn’t create an ADS for the file that I saved. I expected them all too.
Now, let’s take a look at the ADS; I used Notepad (turns out the type command didn’t work).
For example: notepad firefox.png:Zone.Identifier.
Firefox shows us what we usually get. Nothing unusual here. ZoneId=3 is expected.
What about Edge?
That’s a bit different. Same ZoneID as expected, but also tells us which browser was used. This can be very useful in identifying where to look next.
(Side note: I also tested this with inPrivate browsing and got the same artefact. Also may help identify why you’re not finding browser history).
But Chrome is where things get way more interesting
Here we can see where I downloaded the file from, and where it was stored online. It also may be helpful in identifying the browser history to look for.
You also get one from Gmail, but the data is a bit harder to identify. It’s entirely possible that the users Google ID is encoded in there somewhere. That could be really helpful.
Super useful, and very similar to the kMDItemWhereFroms extended attribute found on HFS+/APFS.
If anyone else wants to do some testing with their browsers then maybe we can build out the use cases where this occurs – in the quick test I did I only see it in Chrome. When did this begin!?
Maybe an idea for one of the new daily bloggers?
9 thoughts on “Zone Identifier == kMDItemWhereFroms?”
[…] Have a read here: https://thinkdfir.com/2018/06/17/zone-identifier-kmditemwherefroms/ […]
Interestingly, when downloading the streams.zip file using Edge, it included HostIpAddress. See below:
Which Windows version are you on?
I just downloaded streams and didn’t get the hostipaddress field
Same on my side, no HostIPAddress for Streams…
As I suggested to Jaco below, save the file to a non-default download location. I have duplicated this behaviour on Windows 10 Home, Pro and Enterprise. The versions of Home and Pro are 10.0.17134 Build 17134 and for Enterprise it is 10.0.16299 Build 16299.
The LastWriterPackageFamilyName relates to the last Store App to write the file as well as a hint provided by the app as to what the trust level should be (see https://technet.microsoft.com/en-us/windows/mt243886(v=vs.60). This latter field is AppDefinedZoneID.
[…] 1. What version of Windows introduced zone.identifier Windows Xp sp2 Reference: https://www.forensicswiki.org/wiki/New_Technology_File_System_(NTFS) http://www.sandersonforensics.com/Files/ZoneIdentifier.pdf 2. What data is contained with in a zone.identifier “Windows Internet Explorer uses the stream name Zone.Identifier for storage of URL security zones.”(Reference: https://msdn.microsoft.com/en-us/library/dn392609.aspx) This relates to data stored in the registry in the Zones key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones (Reference: https://blogs.msdn.microsoft.com/oldnewthing/20131104-00/?p=2753/) Until recently, the only information located within the ZoneID Alternate Data Stream related to the above settings: In 2017, Twitter user @Ericlaw identified (https://twitter.com/ericlaw/status/903065616055185409) that browsers were putting additional information in the ADS ZoneID. Independantly of this, I discovered that URLs and program identification information may also be found (Reference: https://thinkdfir.com/2018/06/17/zone-identifier-kmditemwherefroms/) […]
FYI HostIpAddress, HostUrl, and ReferrerUrl are frequently seen in files accessed
through SharePoint. That’s been happening for quite some time, though I don’t remember when I first saw it.
[…] well as various other updates and improvements (including an update to their NTFS tool to extract additional data sometimes stored zoneIDs) Aug 2018 build […]
[…] Zone Identifier == kMDItemWhereFroms?https://thinkdfir.com/2018/06/17/zone-identifier-kmditemwherefroms/ […]