8 May 2022

Was the file downloaded?

If you’re ever tracking down where a suspicious came from, it can be hard to determine if it was downloaded off of the “dirty” internet, or if someone actually created the file locally on the machine. Well if you know how to check the file’s alternative data stream, it actually becomes pretty easy to determine if it was in fact downloaded. You don’t know what the alternate data stream is, or how to check? We can fix that.

First a little background. The “Zone Identifier Alternate Data Stream” is often referred to as the Mark-of-the-Web (MOTW). The MOTW was actually a security feature first introduced by Internet Explorer for determing how to run saved HTML webpages. It has since grown to become implemented into many other file types. Whenever a file is downloaded, your browser implements MOTW by utilizing a feature of the NTFS file system called the alternate data stream (ADS) to associate a data stream to that file. The browser creates an ADS called “Zone.Identifier” and then adds the ZoneId to the stream to specify where the file came from. The ADS will be <file>:Zone.Identifier.

The ZoneId can have the following values:

  • 0. Local Computer
  • 1. Local Intranet
  • 2. Trusted Sites
  • 3. Internet
  • 4. Restricted Sites

Enough of the background… Let us get back to the hands-on part.

To check the files’ ADS & ZoneId from a command prompt, use the following syntax.

notepad file.ext:Zone.Identifier

Alternatively, to check the file with PowerShell, use either of the following cmdlets.

Get-Item .\file.ext -Stream *
Get-Content .\file.ext -Stream Zone.Identifier

Tags: , , , , , ,
Copyright 2022. All rights reserved.

Posted May 8, 2022 by IT.PWWF in category "Microsoft", "PowerShell

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.