Author: Phill Moore

I am a digital forensics analyst. I have a couple of blogs - This Week In 4n6 and Think DFIR I go by randomaccess (or variations of) on a number of DFIR social channels.

Zone Identifier == kMDItemWhereFroms?

A couple weeks ago at Techno Security I saw a presentation about examining cloud storage applications such as Dropbox. Whilst the presentation was great, the main thing I noticed was that when the presenter selected a Zone Identifier ADS there was more than the usual ZoneID=3.

Finally decided to do a little bit more digging!

For background on Zone Identifiers, you can see the paper by Paul Sanderson here.

(more…)