A couple weeks ago at Techno Security I saw a presentation about examining cloud storage applications such as Dropbox. Whilst the presentation was great, the main thing I noticed was that when the presenter selected a Zone Identifier ADS there was more than the usual ZoneID=3.
Finally decided to do a little bit more digging!
For background on Zone Identifiers, you can see the paper by Paul Sanderson here.
For my test, I took my currently installed versions of Chrome (67.0.3396.87), Firefox (60.0.2), IE (11.112.17134.0), and Edge (42.17134.1.0) and then saved the Google doodle off the Google homepage.
Using ‘dir /r’ you can see all the Alternate Data Streams for the files.
I have no idea why IE didn’t create an ADS for the file that I saved. I expected them all too.
Now, let’s take a look at the ADS; I used Notepad (turns out the type command didn’t work).
For example: notepad firefox.png:Zone.Identifier.
Firefox shows us what we usually get. Nothing unusual here. ZoneId=3 is expected.
What about Edge?
That’s a bit different. Same ZoneID as expected, but also tells us which browser was used. This can be very useful in identifying where to look next.
(Side note: I also tested this with inPrivate browsing and got the same artefact. Also may help identify why you’re not finding browser history).
But Chrome is where things get way more interesting
Here we can see where I downloaded the file from, and where it was stored online. It also may be helpful in identifying the browser history to look for.
You also get one from Gmail, but the data is a bit harder to identify. It’s entirely possible that the users Google ID is encoded in there somewhere. That could be really helpful.
Super useful, and very similar to the kMDItemWhereFroms extended attribute found on HFS+/APFS.
If anyone else wants to do some testing with their browsers then maybe we can build out the use cases where this occurs – in the quick test I did I only see it in Chrome. When did this begin!?
Maybe an idea for one of the new daily bloggers?