I will start with asking a question:
Ever wonder how Office knows your document was "from the Internet?
Understanding Alternate Data Streams (ADS):
Alternate Data Streams allow for the creation of secondary or subsequent data streams within a single file in the NTFS file system. While the primary data stream contains the main file content, ADS can store additional metadata, attributes, or even executable code.
The Significance of Zone.Identifier Stream:
One significant use of ADS in forensic investigations is the Zone.Identifier stream, which can indicate the origin of a file, particularly files downloaded from the internet. The Zone.Identifier stream typically contains simple text indicating the file's origin, with a ZoneID value of 3 signifying that the file was downloaded from the internet and may be potentially unsafe.
Understanding ZoneID Values:
NoZone: -1
MyComputer: 0
Intranet: 1
Trusted: 2
Internet: 3
Untrusted: 4
Example :
Analyzing Zone.Identifier ADS:
By analyzing the presence of Zone.Identifier ADS, forensic analysts can identify potentially malicious files that were downloaded from the internet.
**This analysis is particularly useful when examining critical system directories like C:\Windows\System32, where the presence of ZoneID=3 can raise red flags.**
Applications in Forensic Investigations:
ADS analysis, especially focusing on Zone.Identifier streams, can provide valuable insights into the origins of files, aiding forensic investigations in various scenarios, including malware analysis, digital forensics, and e-discovery.
**********************
Update Made on January 2025
I want to introduce you to one of the best tools I always use, which is also a part of the KAPE toolkit.
The tool is called MFTECmd.exe.
This tool parses key artifacts such as $MFT, $J, $Boot, $SDS, and $I30 and provides the output in a CSV format.
I haven’t written an article about this tool yet, but I plan to do so soon.
Now, you might be wondering why I’m telling you about this tool. Let me explain.
Here’s an example: Suppose you’ve parsed an $MFT file using MFTECmd.exe, and you have a file on the device. Now, the client wants to know how this file ended up on the system.
Did the user download it? If so, from which link?
If you’ve used MFTECmd.exe, you don’t need to worry. Simply open the output in Timeline Explorer, navigate to the Zone ID Contents column, and check the information.
As shown in the screenshot below, Zone ID 3 indicates the file was downloaded from the internet. Moreover, the URL is also mentioned in the output.
See how easy and efficient it is to gather this information!
**********************
Conclusion:
Alternate Data Streams, particularly the Zone.Identifier stream, offer a fascinating avenue for uncovering the origin of files, especially those downloaded from the internet. By understanding ADS and analyzing ZoneID values, forensic investigators can enhance their capabilities to identify potentially malicious files and gather valuable evidence for investigations.
Akash Patel
Comments