Zone.Identifier: A Couple Of Observations

Published: 2020-07-18
Last Updated: 2020-07-20 08:23:08 UTC
by Didier Stevens (Version: 1)
0 comment(s)

In diary entry "Sysmon and Alternate Data Streams", we reported that Sysmon records the content of small Alternate Data Streams (containing text) in the event log.

This is useful for the Zone.Identifier ADS, a stream that is added by many browsers to mark a file as orginating from the Internet.

Modern browsers will include extra information in Zone.Identifier, like the URL:

Marc Russinovich explained that this new feature in Sysmon is useful for forensics for example, to figure out from where a particular file was downloaded.

I did the download above using Chrome, with a normal window.

When I use an incognito window, the URL is not recorded:

Marc also explained that this extra info in the Zone.Identifier stream was generated by functions in the urlmon DLL.

That gave me the idea to test this out in VBA (UrlDownloadToFile is a function exported by the urlmon DLL that is often used by malware authors):

Unfortunately, no Zone.Identifier stream is created in this case:

Didier Stevens
Senior handler
Microsoft MVP

0 comment(s)


Diary Archives