Simple artifact to find evidence of user download activity.
Based on the Zone.Identifier alternate data stream that is created alongside with the file downloaded from the internet or intranet. Zone.Identifier is generated by applications when user saves files to the local file system from differnet security zone.
This artifact searches the directory provided for any file with alternate data stream named Zone.Identifier and then lists all files with zoneId = 3 or 4 and calculate the hash value of the file and prints the content of Zone.Identifier alternate stream as it could contain useful info in some cases.
name: Windows.Analysis.EvidenceOfDownload
description: |
Simple artifact to find evidence of user download activity.
Based on the Zone.Identifier alternate data stream that is created
alongside with the file downloaded from the internet or
intranet. Zone.Identifier is generated by applications when user
saves files to the local file system from differnet security zone.
This artifact searches the directory provided for any file with
alternate data stream named Zone.Identifier and then lists all
files with zoneId = 3 or 4 and calculate the hash value of the file
and prints the content of Zone.Identifier alternate stream as it
could contain useful info in some cases.
reference:
- https://cyberforensicator.com/2018/06/26/where-did-it-come-from-forensic-analysis-of-zone-identifier/
- https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download
- https://www.csee.umbc.edu/courses/undergraduate/FYS102D/Recycle.Bin.Forensics.for.Windows7.and.Windows.Vista.pdf
author: M.Soheem @msoheem | Antonio Blescia (TheThMando)
type: CLIENT
parameters:
- name: DirectoryPathGlob
type: csv
default: |
Path
C:/Users/*/Downloads/**/*
C:/$Recycle.Bin/*/**/$R*
- name: ZoneIdRegex
description: A Regular expression to match the required zone (default Internet and Restricted Zones).
default: "ZoneId=[34]"
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET glob_patterns = SELECT Path + ':Zone.Identifier' AS Glob FROM DirectoryPathGlob
LET X = SELECT
split(string=OSPath, sep=":Zone.Identifier")[0] AS DownloadedFilePath,
Mtime,
read_file(filename=OSPath, accessor="ntfs") AS _ZoneIdentifierContent
FROM glob(globs=glob_patterns.Glob, accessor="ntfs")
WHERE NOT IsDir
SELECT *,
if(condition=DownloadedFilePath, then=hash(path=DownloadedFilePath)) AS FileHash,
parse_string_with_regex(regex="ZoneId=([^\\r\\n]+)", string=_ZoneIdentifierContent).g1 AS ZoneId,
parse_string_with_regex(regex="HostUrl=([^\\r\\n]+)", string=_ZoneIdentifierContent).g1 AS HostUrl,
parse_string_with_regex(regex="ReferrerUrl=([^\\r\\n]+)", string=_ZoneIdentifierContent).g1 AS ReferrerUrl
FROM X