Forensic Analysis of the Zone.Identifier Stream

Forensics
1

Zone Identifier, ADS and URL Zones

If you are new to the field of digital forensics, you may not be aware of Zone Identifiers, Alternate Data Streams (ADS) or URL Zones. If that is the case, then you have come to the right place. We shall explain all and show you exactly how they can help you during an investigation. First of all, we need to take a look at Alternate Data Streams.

What is an Alternate Data Stream?

As we know, files stored on an NTFS file system can have many different attribute types, these are the building blocks for the file. One of these attributes is $DATA, or simply called the data attribute. It is the part of the file where the actual data is stored. This data stream, sometimes referred to as the primary data stream, or more accurately the unnamed data stream, has no name associated with it. However, the NTFS file system supports multiple data streams, where the stream name identifies a new data attribute of a file. So how do we access these alternate streams?

Accessing an Alternate Data Stream

There are a number of ways to access Alternate Data Streams (such as using the Sysinternals Streams tool). However, we are going to take a look at using Windows PowerShell commands. In the following example, we use the Get-Item command to list all available streams for a specific ZIP file stored in the Downloads folder. This file was downloaded using Mozilla Firefox v88:

Get-Item -path D:\Downloads\1-6b4b9.zip -stream *

Windows Powershell Get-Item List Alternate Data StreamsList All Available Streams and Associated Properties

This output is showing more information than we really need, so we can format it into columns and make it clearer to review by using the following command:

Get-Item -path D:\Downloads\1-6b4b9.zip -stream * | Select-Object -Property Filename, Stream, Length

WIndows Power Shell Stream ListFormatted List of All Available Streams

If we look at the output, we can see two streams, the unnamed data stream and a stream with the name Zone.Identifier. So what is this hidden alternate stream? How did it get attached to this file and what does it contain?

What is the Zone.Identifier Stream?

The Zone.Identifier feature was first introduced in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. It was designed as a security feature and provided storage for URL Security Zone information. In essence, the feature allowed Windows to determine whether a file should be trusted or not. Internet Explorer would add a Zone.Identifier stream to all downloaded files and set an ID which indicated which Zone the file originated from (such as Zone 3, the Internet Zone). We will look at this further in a moment.

What is Stored in the Zone.Identifier?

So how can we examine the data contained in the Zone.Identifier stream? One option is to run Powershell and execute the Get-Content command as shown below:

Get-Content -path D:\Downloads\1-6b4b9.zip -stream Zone.Identifier

Windows Powershell Get-Content Zone IdentifierWindows Powershell Get-Content Command

As you can see from the output, the data is stored as plain-text with an initialization file structure. We can see a group header called [ZoneTransfer] along with various name/value pairs. Immediately, you can see there are some very interesting properties in this stream, such as ReferrerUrl and HostUrl. This was not always the case. Earlier versions of the Zone.Identifier stream only contained the ZoneId property. Other properties have been added over time, further enhancing the value of this data. From an investigative point of view, these properties are extremely useful.

We have also found that if the user extracts data from a downloaded archive file using the built-in Explorer functionality, Windows helpfully adds a Zone.Identifier to every extracted file. The new stream contains a ReferrerUrl property with a link back to the original archive the file was extracted from. This allows you to track back the original source of a downloaded/extracted file.

Internet Explorer is not the only web browser to have this functionality. Zone.Identifier streams are written to downloaded files by other browsers such as Microsoft Edge, Edge Legacy, Google Chrome, Mozilla Firefox, Opera and many other Mozilla and Chromium based browsers. Other applications may also implement the functionality.

Zone.Identifier Properties

The structure of the stream can also change depending on the application which performed the download. From our analysis, we have found the following properties:

  • AppZoneId
  • HostIpAddress
  • HostUrl
  • LastWriterPackageFamilyName
  • ReferrerUrl
  • ZoneId

ZoneId Property

The ZoneId property identifies the URL Security Zone and flags the download according to its respective level of trust. The code below shows the URLZONE enum and the corresponding values:

typedef enum tagURLZONE { 
  URLZONE_INVALID         = -1,
  URLZONE_PREDEFINED_MIN  = 0,
  URLZONE_LOCAL_MACHINE   = 0,
  URLZONE_INTRANET,
  URLZONE_TRUSTED,
  URLZONE_INTERNET,
  URLZONE_UNTRUSTED,
  URLZONE_PREDEFINED_MAX  = 999,
  URLZONE_USER_MIN        = 1000,
  URLZONE_USER_MAX        = 10000
} URLZONE;

So what exactly do these values mean? According to Microsoft, they contain all the predefined zones used by Windows Internet Explorer:

  • URLZONE_INVALID – This is an invalid zone that is used only if no appropriate zone is available.
  • URLZONE_LOCAL_MACHINE – This zone is used for content already on the user’s local computer.
  • URLZONE_INTRANET – This zone is used for content found on an intranet.
  • URLZONE_TRUSTED – This zone is used for trusted Web sites on the Internet.
  • URLZONE_INTERNET – This zone if for content from the Internet, except for Web sites listed in the trusted or restricted zones.
  • URLZONE_UNTRUSTED – This zone is used for Web sites that are not trusted.

A Windows user can access the URL Zones via Internet Options in the Control Panel (see the Security tab from the Internet Properties window below). However, it is unlikely that you will encounter ZoneId values outside the standard predefined zones.

Windows Internet Properties » Security Window » URL Security ZoneInternet Properties Security Tab Showing URL Security Zones

Easily Process Zone.Identifier Streams in Your Investigation

As a forensic investigator, what is an easy way to examine the Zone.Identifier stream from downloaded files? Luckily, there is a simple solution when using NetAnalysis® as part of your forensic process. NetAnalysis® v3 adds support for importing data from this hidden Alternate Data Stream.

As NetAnalysis® searches through all files, it identifies supported types, and checks for the presence of NTFS Alternate Data Streams. Any files containing a Zone.Identifier ADS are processed and added to the grid for analysis with the Zone Identifier Entry Type.

The image below shows the entry we manually examined above imported into NetAnalysis®. The Information Panel shows the associated metadata, including file system information. All the other properties from the stream, which are not displayed in the Information panel, can be found in the corresponding columns in the NetAnalysis® grid.

NetAnalysis Zone Identifier Examination and AnalysisNetAnalysis® Displaying Zone Identifier Entries and Metadata

Recovering Zone.Identifier Data from a Forensic Image

So how do you deal with a situation where the files might have been deleted? What if the suspect has formatted their disk or deleted the partition? This is where HstEx® becomes very useful. Specifically designed to work in conjunction with NetAnalysis® (and is provided as part of the suite), this powerful software can recover deleted data from a variety of sources and can work with unstructured data; this means it can reassemble information from raw data when no filesystem metadata is available.

In NTFS, the $MFT or Master File Table keeps track of every file on the volume. In the case of the ADS holding the Zone Identifier information, this is likely to be resident as it can be quite small in size. When the value can be accessed directly from within the attribute, it is called “resident data”. This data is small enough to be stored within the MFT entry, rather than out in the file system.

With the release of HstEx® v5.1, we have added the ability to search and recover MFT entries containing resident Zone Identifier data. This provides us with a lot of information regarding the original file. The recovered data is easily read into NetAnalysis® for examination. The image below shows a number of recovered Zone Identifier entries. The Information panel shows the associated MFT attribute information along with the Zone Transfer data from the Zone.Identifier stream.

832×724
NetAnalysis® showing recovered Resident MFT entries containing Zone.Identifier streams

Summary

The Zone.Identifier stream, associated with a download, contains a rich store of properties that may be relevant to an investigation. NetAnalysis® provides an easy way to examine, and perform analysis on these streams. HstEx® allows an easy way to process an entire forensic image (or other source) recovering Zone.Identifier streams contained within live and deleted MFT entries. HstEx® can also recover this data even if the file has been deleted, the volume has been formatted, or the partition deleted.

Further Reading

For further information relating to this subject, please see the following links:

The post Forensic Analysis of the Zone.Identifier Stream appeared first on Digital Detective.

Article Link: Forensic Analysis of the Zone.Identifier Stream - Digital Detective