@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #402: Solution Saturday 6/23/18

Hello Reader,
             This week was really tough as I got a lot of really good submissions. In the end the winning submission from Phil Moore was selected because much like the other submissions that made it to the final round of consideration he listed which apps he tested that contained Zone.Identifiers and what different data points they contained. But Phil took it one step further and not only tested the application he tested the behavior such as saving different file types in IE or different moods of operation like InPrivate Browsing.  Last Phil added in a bonus OSX artifact to boot.

Here was the challenge:
The Challenge:
Zone.Identifier alternate data streams have been around for awhile please answer the following questions.
1. What version of Windows introduced zone.identifier
2. What data is contained with in a zone.identifier
3. What sets the zone.identifier
4. what conditions causes them to be created
5. What are the limitations of zone.identifier

So here is this week's winning entry from Phil Moore.


1. What version of Windows introduced zone.identifier
Windows Xp sp2



2. What data is contained with in a zone.identifier
“Windows Internet Explorer uses the stream name Zone.Identifier for storage of URL security zones.”
(Reference: https://msdn.microsoft.com/en-us/library/dn392609.aspx)

This relates to data stored in the registry in the Zones key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones




Until recently, the only information located within the ZoneID Alternate Data Stream related to the above settings:
 
In 2017, Twitter user @Ericlaw identified (https://twitter.com/ericlaw/status/903065616055185409) that browsers were putting additional information in the ADS ZoneID.

Independantly of this, I discovered that URLs and program identification information may also be found (Reference: https://thinkdfir.com/2018/06/17/zone-identifier-kmditemwherefroms/)




Other examiners were able to replicate the findings (https://www.dfir.co.za/2018/06/18/highway-to-the-danger-zone-identifier/), as well as identify further information from the “Edge” browser.



Jaco Swanepoel eventually did figure out how to do it. I haven’t been able to replicate the HostIpAddress yet.



What this means is that we can also find the location from which the file originated in some instances, and also infer the browser used to download the file.

3. What sets the zone.identifier
As above, the browser checks the registry (NTUSER.DAT) and acts accordingly.

“URL security zones group URL namespaces according to their respective levels of trust. A URL policy setting for each URL action enforces these levels of trust.” (Reference: https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85) )

The domains that have been stored can be located here:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains and EscDomains.

Adding items to these keys can be done through Internet Options:
The Internet Options can be accessed through Windows Settings or Internet Explorer.


As a test, I added a site to the restricted list and when saving the item, I observed that it had a ZoneID of 4.

Similarly, if I added an item to “Trusted” then it doesn’t get a ZoneID

4. What conditions causes them to be created
“Browsers and other internet clients (e.g. email and chat programs) can participate in the MOTW-marking system by using the IAttachmentExecute interface’s methods or by writing the Alternate Data Stream directly.” (Reference: https://textslashplain.com/tag/security/page/2/)

Forensic Wiki indicates that ZoneID’s were originally set when a file was downloaded using “Internet Explorer, Outlook, and Windows Messenger”.

I performed a majority of my testing on Win10; there’s plenty more to do however.
Task
ZoneID?
ADS Contents
Save picture (IE)
No

Save ZIP (IE)
Yes
ZoneID
Save file (Chrome, Chrome-based browser)
Yes
 ZoneID
RefererURL
HostURL
Save file (Firefox)
Yes
ZoneID
Save file (Edge)
Yes
ZoneID
LastWriterPackageFamilyName (Application name)

File saved out of Outlook (o365 desktop)*
Yes
ZoneID
File saved out of Mail “Trusted Microsoft Store” app*
Yes
ZoneID
File saved out of Skype “Trusted Microsoft Store” app
Yes
ZoneID
Skype (Classic) App
Yes
ZoneID
Wget under Windows Subsystem for Linux
No

Powershell
No

FTP.exe (inbuilt)
No

Tor Browser Bundle (Firefox)
Yes
ZoneID
Private Browsing (IE - Zip)
Yes
ZoneID
Private Browsing (Firefox - Zip)
Yes
ZoneID
Private Browsing (Chrome - Zip)
Yes
ZoneID
RefererURL
HostURL

Private Browsing (IE - Zip
Untested - download kept failing

Save a webpage to the desktop from a link (Chrome)
Yes
ZoneID
RefererURL
HostURL

Save current page***
No

Telegram (Windows)
No

Sync with Mega
No

Sync with Dropbox
No**

Sync with OneDrive
No


*apparently you can also drag and drop files from emails and these won't be given the zoneID however this wasn’t tested.

** Dropbox does create ADS’s for the files, but not a ZoneID.

*** Indication of originating URL identified in the saved HTML code.

On Windows 7 I observed ZoneIDs from saving files out of webpages, however no additional data was located.
I did not have a Windows 8/8.1 sytsem to test.

Internet Explorer doesn’t always create ZoneIDs, for example saving a picture did not create a ZoneID. All other browsers did however for the same test. As a guess, any file that IE thinks the user needs to be protected from should have a ZoneID.

5. What are the limitations of zone.identifier
“The Alternate Data Stream travels with the file as it’s copied between NTFS disks, but will be lost if the file is ever copied to a FAT file system disk (like many USB keys, CDs, etc) that doesn’t support ADS. If you use Windows Explorer to extract a ZIP file with the MotW ADS, it will be copied to each file extracted from the archive.” (Reference: https://blogs.msdn.microsoft.com/ieinternals/2011/03/23/understanding-local-machine-zone-lockdown/)

Didier Stevens wrote a a post about propagation of ZoneIDs from ISO containers.
For example, if you open an ISO in Win10 and open the file, the file will not identify that it has come from the Internet (and I would guess if you copied it out it would not transfer the ZoneID with it).
(Reference: https://blog.didierstevens.com/2017/07/18/iso-files-with-zone-identifier/).


Addendum:

MacOS NTFS Drives
If you save a file to an NTFS drive using the Tuxera NTFS driver for MacOS you don’t get a ZoneID, but you do get Extended Attributes.


Program Execution:
On win8 if a program is executed and smart screen is displayed, if the user bypasses smartscreen to execute the application then this will replace the ZoneID with “AppZoneId=4”. This is not to be confused with “ZoneID=4” which would mean that the file came from a restricted zone.
I do not have a Win8 system to test this on, and was unable to replicate it on Win10.

This is another execution artefact however.
(Reference: https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/)

Removing ZoneIDs:
If you download an executable from the web you will get a Security Warning. If you deselect the “Always ask before opening this file” then the ZoneID will be removed.

Alternatively, if you go to the properties of the executable and select “Unblock” it will also remove the ZoneID.


Lastly, you can use the streams application (https://docs.microsoft.com/en-us/sysinternals/downloads/streams) by Mark Russinovich to remove ADS’s.

Post a Comment

[blogger][disqus][facebook][spotim]

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.