I have a piece of identified malware located in the system32 dir. In the same directory is a file with the same malware name plus a "Zone.Identifier", example foo.exe.Zone.Identifier. The contents of the file is [zonetransfer] Zoneid=3
http//
Says that is an ADS.
http//
Says, Existance of Zone.Identifier stream on some files is normal, and as such is of no cause for concern. This stream is generated by Internet Explorer and Outlook when saving files from to local disk from different security zones.
So what is my question? What does this mean for me forensically? From what I have read it doesn't really mean anything. I am interested now the original malware got on the system, and from what I read in the F-secure posting it has something to do with saving the original file via outlook, or could be.
Thanks,
So what is my question? What does this mean for me forensically? From what I have read it doesn't really mean anything. I am interested now the original malware got on the system, and from what I read in the F-secure posting it has something to do with saving the original file via outlook, or could be.
I think you answered your own question already…"This stream is generated by Internet Explorer and Outlook when saving files from to local disk from different security zones."
Well, it should read "…when saving files to the local disk…", rather than "…from to…", but that's your answer.
How large are the ADS? Around 28 bytes or so? What are the contents of the ADSs?
I think http//
I think the biggest impacts "forensically" are 1. It tells you where windows "thought" the file was opened from and 2. It dictates the files were created after August 2004 (release of XP service pack 2 which introduced the use of the feature).
I just completed a case where I was baffled for a bit because I had some files create 2001-2004 and they all had ZIDs attached to them…..
