Home Articles Where Did It Come From: Forensic Analysis of Zone.Identifier

Where Did It Come From: Forensic Analysis of Zone.Identifier

0
1
1,838

As you may know, David Cowen runs Sunday Funday Challenges, and one of the most recent was Zone.Identifier challenge. I haven’t won, but I decided to post my submission as it contains some additional info. So, here we go:

Windows XP SP2 introduced Zone.Identifier Alternative Data Stream, that is created alongside with the file downloaded from the Internet or intranet. Zone.Identifier is generated by applications when user saves files to the local file system from a different security zone. There are 5 most commonly-encountered zone identifiers:

0 – Local Machine Zone, the most trusted zone for content that exists on the local computer;

1 – Local Intranet Zone, for content located on an organization’s intranet;

2 – Trusted Sites Zone, for content located on Web sites that are considered more reputable or trustworthy than other sites on the Internet.

3 – Internet Zone, for Web sites on the Internet that do not belong to another zone;

4 – Restricted Sites Zone, for Web sites that contain potentially-unsafe content.

I started my testing from 8 web-browsers: Google Chrome, Microsoft Edge, Mozilla Firefox, Internet Explorer, Opera, Tor, UC Browser and Vivaldi. I downloaded the same file to the same folder, and used AlternateStreamView to look at Zone.Identifier:

A few important facts: Internet Explorer hasn’t created a stream, stream size is different and depends on the browser used.

Ok, let’s look what exactly is contained within them.

Google Chrome:

[ZoneTransfer]

ZoneId=3

ReferrerUrl=http://cyberforensicator.com/

HostUrl=http://cyberforensicator.com/wp-content/uploads/2017/08/CF_LOGO_NEW.png

Not bad, huh? We have not only the zone, but also referrer and host URLs. Awesome!

Microsoft Edge:

[ZoneTransfer]

LastWriterPackageFamilyName=Microsoft.MicrosoftEdge_8wekyb3d8bbwe

ZoneId=3

Again, we have the zone, of course, but also browser name. No website or URL, unfortunately.

Firefox:

[ZoneTransfer]

ZoneId=3

Unfortunately, only the zone.

Opera:

[ZoneTransfer]

ZoneId=3

ReferrerUrl=http://cyberforensicator.com/

HostUrl=http://cyberforensicator.com/wp-content/uploads/2017/08/CF_LOGO_NEW.png

As far as I remember, it’s based on Chrome, so we have the same here. Not bad.

Tor:

[ZoneTransfer]

ZoneId=3

Tor is based on Firefox, so we have only the zone.

UC Browser:

[ZoneTransfer]

ZoneId=3

ReferrerUrl=http://cyberforensicator.com/

HostUrl=http://cyberforensicator.com/wp-content/uploads/2017/08/CF_LOGO_NEW.png

Probably this browser is also Chrome-based, a lot of good info.

Vivaldi:

[ZoneTransfer]

ZoneId=3

ReferrerUrl=http://cyberforensicator.com/

HostUrl=http://cyberforensicator.com/wp-content/uploads/2017/08/CF_LOGO_NEW.png

Same here, a lot of useful info.

So, Zone.Identifier may contain different sets of data, it depends on the browser used for file downloading.

Also, I decided to test what happens to files downloaded from mail clients. Let’s look at Microsoft Outlook 2016:

[ZoneTransfer]

ZoneId=3

Zone Identifier only, anyway, we know that it’s downloaded and not created on local computer.

I thought it wasn’t enough and tested it with Mozilla Thunderbird too. I got the same:

[ZoneTransfer]

ZoneId=3

Not enough, let’s look at Windows Mail:

[ZoneTransfer]

ZoneId=3

So, same here.

Also I looked at Windows cloud applications: Google Drive, Mega Sync, pCloud, Box, but haven’t found Zone.Identifier ADS in any files. Of course, such apps are usually used for uploading files, but some standard files are downloaded from the cloud to local computer by these apps. What is more, some files may be uploaded from different devices and downloaded to local computer during sync process.

I decided not to stop, and tested μTorrent app, it creates Zone.Identifier too:

[ZoneTransfer]

ZoneId=3

HostUrl=about:internet

I downloaded two different files, both have same HostUrl, so it may be used for detecting files downloaded via torrents, at least via μTorrent.

I continued my testing with a few more torrent clients:

BitTorrent creates the same Zone.Identifier:

ZoneId=3

HostUrl=about:internet

As for 2 other clients, Transmission and Vuze, they do not add Zone.Identifier.

Also I played a bit with TeamViewer, both using file transferring feature and copy+paste – no Zone.Identifier for transferred files. Same with FlashGet download manager – no Zone.Identifier for downloaded files.

Then I decided to test a few chat apps, started from Telegram, and got the following:

[ZoneTransfer]

ZoneId=3

So Telegram Desktop adds Zone.Identifier too.

Finally I decided to test another popular messenger – Skype:

[ZoneTransfer]

ZoneId=3

As you can see, there are lots of applications capable of creating Zone.Identifier ADS, so this topic needs much more research and testing. Also, don’t forget to check Phil Moore’s winning submission.

Happy Forensicating!

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Load More Related Articles
Load More In Articles

Leave a Reply

Your email address will not be published. Required fields are marked *