Identifying The Source of Downloaded Files
Posted on August 11, 2019
- and tagged as
A little known feature of NTFS is something called Alternate Data Streams, or ADS. Originally introduced for compatibility with Apple’s HFS, it allows for storage of metadata for files residing on the filesystem.
A simple example is some of the content in the Summary tab when viewing a file’s properties. Applications can write their own attributes (metadata) that are attached to files they interact with.
Most browsers are programmed to do this, and attach all kinds of useful metadata about files that are downloaded from the Internet. This can include what zone the file was downloaded from, in this instance referring to the Internet Properties zones (Internet, Local Intranet, Trusted, etc), as well as the the URL of the downloaded file, and the referrer.
This can be extremely useful when searching for the source of a malware outbreak if an executable has been identified on the infected system. This information is stored in ADS stream called
Identify If The Stream Is Present
First we can check whether the stream is present for a particular file. For this example I’m using the 7Zip installer as the file we want to pull data about.
PS D:\Source> Get-Item 7z1900.exe -Stream Zone.Identifier -ErrorAction SilentlyContinue PSPath : Microsoft.PowerShell.Core\FileSystem::D:\Source\7z1900.exe:Zone.Identifier PSParentPath : Microsoft.PowerShell.Core\FileSystem::D:\Source PSChildName : 7z1900.exe:Zone.Identifier PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : False FileName : D:\Source\7z1900.exe Stream : Zone.IdentifierLength : 119
There are a few useful things to note here. Firstly, the Zone.Identifier stream is present, and has a length of 119 bytes.
Sometimes only the zone the file was downloaded from is present which isn’t particularly useful, and in these instances the Length tends to be around 24-26 bytes, so we can immediately tell we have more information than just the zone.
Reading The Stream
The stream can be read using
Get-Content as shown below.
PS D:\Source> Get-Content 7z1900.exe -Stream Zone.Identifier [ZoneTransfer] ZoneId=3 ReferrerUrl=https://www.7-zip.org/download.htmlHostUrl=https://www.7-zip.org/a/7z1900.exe
And there we have it, both the referrer, and the direct URL of the file present in the metadata. The zone value corresponds to the ‘Internet Zone’.
|Zone Id||Zone Name|
While I have not had a chance to test, I have seen some documentation which indicates that ADS has recently been implemented in ReFS.
There are other tools that can be used to read the ADS, a popular one being AlternateStreamView by NirSoft.