Zone Identifiers

Zone Identifiers

Source: http://cyberforensicator.com/2018/06/26/where-did-it-come-from-forensic-analysis-of-zone
-identifier  

Zone.Identifier is an Alternate Data Steam, meaning it is only in NTFS systems. It is created alongside
the file downloaded from the internet, such as a photo file. It is also generated where the user has
saved files to the local NTFS file system, from another security Zone

1. Local zone, most trusted
2. Local intranet, organisations intranet
3. Trusted sites
4. Internet
5. Restricted

Now, using the command line, in the directory of Downloads, I use the command:

notepad.exe Nikon.jpg:zone.Identifier

which opens notepad with the following text:

[ZoneTransfer]

ZoneId=3

HostUrl=about:internet,

So I got the image from the internet

Some files, will return the URL as well. See below:

So, why is this useful?

Where there are suspicious files found, we will want to see their Zone identifier so we can work out where
they came from. In the case of explicit images, it would be very useful to find evidence of another device,
intranet, or URL which would lead to further evidence, and help shape the rest of an investigation.

Think malware as well. An employee may have a suspicious file, which they claim the didn’t know about.
The zone identifier could show that it in fact came from a URL which they the suspect had accessed earlier.
This could be a unsafe pornographic website. Thus, it could be derived that the employee may have not intended to download the malware.

Think; what if criminals had had their own intranets to perform criminal activities?