Saturday, June 23, 2018

Daily Blog #402: Solution Saturday 6/23/18

Hello Reader,
             This week was really tough as I got a lot of really good submissions. In the end the winning submission from Phil Moore was selected because much like the other submissions that made it to the final round of consideration he listed which apps he tested that contained Zone.Identifiers and what different data points they contained. But Phil took it one step further and not only tested the application he tested the behavior such as saving different file types in IE or different moods of operation like InPrivate Browsing.  Last Phil added in a bonus OSX artifact to boot.

Here was the challenge:
The Challenge:
Zone.Identifier alternate data streams have been around for awhile please answer the following questions.
1. What version of Windows introduced zone.identifier
2. What data is contained with in a zone.identifier
3. What sets the zone.identifier
4. what conditions causes them to be created
5. What are the limitations of zone.identifier

So here is this week's winning entry from Phil Moore.


1. What version of Windows introduced zone.identifier
Windows Xp sp2



2. What data is contained with in a zone.identifier
“Windows Internet Explorer uses the stream name Zone.Identifier for storage of URL security zones.”
(Reference: https://msdn.microsoft.com/en-us/library/dn392609.aspx)

This relates to data stored in the registry in the Zones key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones




Until recently, the only information located within the ZoneID Alternate Data Stream related to the above settings:
 
In 2017, Twitter user @Ericlaw identified (https://twitter.com/ericlaw/status/903065616055185409) that browsers were putting additional information in the ADS ZoneID.

Independantly of this, I discovered that URLs and program identification information may also be found (Reference: https://thinkdfir.com/2018/06/17/zone-identifier-kmditemwherefroms/)




Other examiners were able to replicate the findings (https://www.dfir.co.za/2018/06/18/highway-to-the-danger-zone-identifier/), as well as identify further information from the “Edge” browser.



Jaco Swanepoel eventually did figure out how to do it. I haven’t been able to replicate the HostIpAddress yet.



What this means is that we can also find the location from which the file originated in some instances, and also infer the browser used to download the file.

3. What sets the zone.identifier
As above, the browser checks the registry (NTUSER.DAT) and acts accordingly.

“URL security zones group URL namespaces according to their respective levels of trust. A URL policy setting for each URL action enforces these levels of trust.” (Reference: https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85) )

The domains that have been stored can be located here:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains and EscDomains.

Adding items to these keys can be done through Internet Options:
The Internet Options can be accessed through Windows Settings or Internet Explorer.


As a test, I added a site to the restricted list and when saving the item, I observed that it had a ZoneID of 4.

Similarly, if I added an item to “Trusted” then it doesn’t get a ZoneID

4. What conditions causes them to be created
“Browsers and other internet clients (e.g. email and chat programs) can participate in the MOTW-marking system by using the IAttachmentExecute interface’s methods or by writing the Alternate Data Stream directly.” (Reference: https://textslashplain.com/tag/security/page/2/)

Forensic Wiki indicates that ZoneID’s were originally set when a file was downloaded using “Internet Explorer, Outlook, and Windows Messenger”.

I performed a majority of my testing on Win10; there’s plenty more to do however.
Task
ZoneID?
ADS Contents
Save picture (IE)
No

Save ZIP (IE)
Yes
ZoneID
Save file (Chrome, Chrome-based browser)
Yes
 ZoneID
RefererURL
HostURL
Save file (Firefox)
Yes
ZoneID
Save file (Edge)
Yes
ZoneID
LastWriterPackageFamilyName (Application name)

File saved out of Outlook (o365 desktop)*
Yes
ZoneID
File saved out of Mail “Trusted Microsoft Store” app*
Yes
ZoneID
File saved out of Skype “Trusted Microsoft Store” app
Yes
ZoneID
Skype (Classic) App
Yes
ZoneID
Wget under Windows Subsystem for Linux
No

Powershell
No

FTP.exe (inbuilt)
No

Tor Browser Bundle (Firefox)
Yes
ZoneID
Private Browsing (IE - Zip)
Yes
ZoneID
Private Browsing (Firefox - Zip)
Yes
ZoneID
Private Browsing (Chrome - Zip)
Yes
ZoneID
RefererURL
HostURL

Private Browsing (IE - Zip
Untested - download kept failing

Save a webpage to the desktop from a link (Chrome)
Yes
ZoneID
RefererURL
HostURL

Save current page***
No

Telegram (Windows)
No

Sync with Mega
No

Sync with Dropbox
No**

Sync with OneDrive
No


*apparently you can also drag and drop files from emails and these won't be given the zoneID however this wasn’t tested.

** Dropbox does create ADS’s for the files, but not a ZoneID.

*** Indication of originating URL identified in the saved HTML code.

On Windows 7 I observed ZoneIDs from saving files out of webpages, however no additional data was located.
I did not have a Windows 8/8.1 sytsem to test.

Internet Explorer doesn’t always create ZoneIDs, for example saving a picture did not create a ZoneID. All other browsers did however for the same test. As a guess, any file that IE thinks the user needs to be protected from should have a ZoneID.

5. What are the limitations of zone.identifier
“The Alternate Data Stream travels with the file as it’s copied between NTFS disks, but will be lost if the file is ever copied to a FAT file system disk (like many USB keys, CDs, etc) that doesn’t support ADS. If you use Windows Explorer to extract a ZIP file with the MotW ADS, it will be copied to each file extracted from the archive.” (Reference: https://blogs.msdn.microsoft.com/ieinternals/2011/03/23/understanding-local-machine-zone-lockdown/)

Didier Stevens wrote a a post about propagation of ZoneIDs from ISO containers.
For example, if you open an ISO in Win10 and open the file, the file will not identify that it has come from the Internet (and I would guess if you copied it out it would not transfer the ZoneID with it).
(Reference: https://blog.didierstevens.com/2017/07/18/iso-files-with-zone-identifier/).


Addendum:

MacOS NTFS Drives
If you save a file to an NTFS drive using the Tuxera NTFS driver for MacOS you don’t get a ZoneID, but you do get Extended Attributes.


Program Execution:
On win8 if a program is executed and smart screen is displayed, if the user bypasses smartscreen to execute the application then this will replace the ZoneID with “AppZoneId=4”. This is not to be confused with “ZoneID=4” which would mean that the file came from a restricted zone.
I do not have a Win8 system to test this on, and was unable to replicate it on Win10.

This is another execution artefact however.
(Reference: https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/)

Removing ZoneIDs:
If you download an executable from the web you will get a Security Warning. If you deselect the “Always ask before opening this file” then the ZoneID will be removed.

Alternatively, if you go to the properties of the executable and select “Unblock” it will also remove the ZoneID.


Lastly, you can use the streams application (https://docs.microsoft.com/en-us/sysinternals/downloads/streams) by Mark Russinovich to remove ADS’s.

No comments:

Post a Comment