Identifying The Source of Downloaded Files
Posted on August 11, 2019
- and tagged as
- windows,
- security,
- powershell
A little known feature of NTFS is something called Alternate Data Streams, or ADS. Originally introduced for compatibility with Apple’s HFS, it allows for storage of metadata for files residing on the filesystem.
A simple example is some of the content in the Summary tab when viewing a file’s properties. Applications can write their own attributes (metadata) that are attached to files they interact with.
Most browsers are programmed to do this, and attach all kinds of useful metadata about files that are downloaded from the Internet. This can include what zone the file was downloaded from, in this instance referring to the Internet Properties zones (Internet, Local Intranet, Trusted, etc), as well as the the URL of the downloaded file, and the referrer.
This can be extremely useful when searching for the source of a malware outbreak if an executable has been identified on the infected system. This information is stored in ADS stream called Zone.Identifier.
Identify If The Stream Is Present
First we can check whether the stream is present for a particular file. For this example I’m using the 7Zip installer as the file we want to pull data about.
PS D:\Source> Get-Item 7z1900.exe -Stream Zone.Identifier -ErrorAction SilentlyContinue
PSPath : Microsoft.PowerShell.Core\FileSystem::D:\Source\7z1900.exe:Zone.Identifier
PSParentPath : Microsoft.PowerShell.Core\FileSystem::D:\Source
PSChildName : 7z1900.exe:Zone.Identifier
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : D:\Source\7z1900.exe
Stream : Zone.IdentifierLength : 119There are a few useful things to note here. Firstly, the Zone.Identifier stream is present, and has a length of 119 bytes.
Sometimes only the zone the file was downloaded from is present which isn’t particularly useful, and in these instances the Length tends to be around 24-26 bytes, so we can immediately tell we have more information than just the zone.
Reading The Stream
The stream can be read using Get-Content as shown below.
PS D:\Source> Get-Content 7z1900.exe -Stream Zone.Identifier
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://www.7-zip.org/download.htmlHostUrl=https://www.7-zip.org/a/7z1900.exeAnd there we have it, both the referrer, and the direct URL of the file present in the metadata. The zone value corresponds to the ‘Internet Zone’.
| Zone Id | Zone Name |
|---|---|
| 0 | My Computer |
| 1 | Local Intranet |
| 2 | Trusted Sites |
| 3 | Internet |
| 4 | Restricted Sites |
ReFS
While I have not had a chance to test, I have seen some documentation which indicates that ADS has recently been implemented in ReFS.
GUI Tools
There are other tools that can be used to read the ADS, a popular one being AlternateStreamView by NirSoft.