Hello Reader,
This week was really tough as I got a lot of really good submissions. In the end the winning submission from Phil Moore was selected because much like the other submissions that made it to the final round of consideration he listed which apps he tested that contained Zone.Identifiers and what different data points they contained. But Phil took it one step further and not only tested the application he tested the behavior such as saving different file types in IE or different moods of operation like InPrivate Browsing. Last Phil added in a bonus OSX artifact to boot.
Here was the challenge:
So here is this week's winning entry from Phil Moore.
This week was really tough as I got a lot of really good submissions. In the end the winning submission from Phil Moore was selected because much like the other submissions that made it to the final round of consideration he listed which apps he tested that contained Zone.Identifiers and what different data points they contained. But Phil took it one step further and not only tested the application he tested the behavior such as saving different file types in IE or different moods of operation like InPrivate Browsing. Last Phil added in a bonus OSX artifact to boot.
Here was the challenge:
The Challenge:
Zone.Identifier alternate data streams have been around for awhile please answer the following questions.
1. What version of Windows introduced zone.identifier
2. What data is contained with in a zone.identifier
3. What sets the zone.identifier
4. what conditions causes them to be created
5. What are the limitations of zone.identifier
1. What
version of Windows introduced zone.identifier
Windows Xp sp2
Reference:
2. What
data is contained with in a zone.identifier
“Windows Internet Explorer uses the stream
name Zone.Identifier for storage of URL security zones.”
(Reference: https://msdn.microsoft.com/en-us/library/dn392609.aspx)
(Reference: https://msdn.microsoft.com/en-us/library/dn392609.aspx)
This relates to data stored in the registry in
the Zones key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones
Until recently, the only information located within the ZoneID Alternate Data Stream related to the above settings:
In 2017, Twitter user @Ericlaw identified
(https://twitter.com/ericlaw/status/903065616055185409) that browsers were
putting additional information in the ADS ZoneID.
Independantly of this, I discovered that URLs
and program identification information may also be found (Reference: https://thinkdfir.com/2018/06/17/zone-identifier-kmditemwherefroms/)
Other examiners were able to replicate the findings
(https://www.dfir.co.za/2018/06/18/highway-to-the-danger-zone-identifier/), as
well as identify further information from the “Edge” browser.
Jaco Swanepoel eventually did figure out how
to do it. I haven’t been able to replicate the HostIpAddress yet.
What this means is that we can also find the
location from which the file originated in some instances, and also infer the
browser used to download the file.
3. What
sets the zone.identifier
As above, the browser checks the registry
(NTUSER.DAT) and acts accordingly.
“URL security zones group URL namespaces
according to their respective levels of trust. A URL policy setting for each
URL action enforces these levels of trust.” (Reference: https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85)
)
The domains that have been stored can be
located here:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains and EscDomains.
Adding items to these keys can be done through
Internet Options:
The Internet Options can be accessed through
Windows Settings or Internet Explorer.
As a test, I added a site to the restricted
list and when saving the item, I observed that it had a ZoneID of 4.
Similarly,
if I added an item to “Trusted” then it doesn’t get a ZoneID
4. What
conditions causes them to be created
“Browsers and other internet clients (e.g.
email and chat programs) can participate in the MOTW-marking system by using
the IAttachmentExecute interface’s methods or by writing the Alternate Data
Stream directly.” (Reference: https://textslashplain.com/tag/security/page/2/)
Forensic Wiki indicates that ZoneID’s were
originally set when a file was downloaded using “Internet Explorer, Outlook,
and Windows Messenger”.
I performed a majority of my testing on Win10;
there’s plenty more to do however.
Task
|
ZoneID?
|
ADS Contents
|
Save picture (IE)
|
No
|
|
Save ZIP (IE)
|
Yes
|
ZoneID
|
Save file (Chrome, Chrome-based browser)
|
Yes
|
ZoneID
RefererURL
HostURL
|
Save file (Firefox)
|
Yes
|
ZoneID
|
Save file (Edge)
|
Yes
|
ZoneID
LastWriterPackageFamilyName (Application name)
|
File saved out of Outlook (o365 desktop)*
|
Yes
|
ZoneID
|
File saved out of Mail “Trusted Microsoft
Store” app*
|
Yes
|
ZoneID
|
File saved out of Skype “Trusted Microsoft
Store” app
|
Yes
|
ZoneID
|
Skype (Classic) App
|
Yes
|
ZoneID
|
Wget under Windows Subsystem for Linux
|
No
|
|
Powershell
|
No
|
|
FTP.exe (inbuilt)
|
No
|
|
Tor Browser Bundle (Firefox)
|
Yes
|
ZoneID
|
Private Browsing (IE - Zip)
|
Yes
|
ZoneID
|
Private Browsing (Firefox - Zip)
|
Yes
|
ZoneID
|
Private Browsing (Chrome - Zip)
|
Yes
|
ZoneID
RefererURL
HostURL
|
Private Browsing (IE - Zip
|
Untested - download kept failing
|
|
Save a webpage to the desktop from a link
(Chrome)
|
Yes
|
ZoneID
RefererURL
HostURL
|
Save current page***
|
No
|
|
Telegram (Windows)
|
No
|
|
Sync with Mega
|
No
|
|
Sync with Dropbox
|
No**
|
|
Sync with OneDrive
|
No
|
|
*apparently you can also drag and drop files
from emails and these won't be given the zoneID however this wasn’t tested.
** Dropbox does create ADS’s for the files,
but not a ZoneID.
*** Indication of originating URL identified
in the saved HTML code.
On Windows 7 I observed ZoneIDs from saving
files out of webpages, however no additional data was located.
I did not have a Windows 8/8.1 sytsem to test.
Internet Explorer doesn’t always create
ZoneIDs, for example saving a picture did not create a ZoneID. All other
browsers did however for the same test. As a guess, any file that IE thinks the
user needs to be protected from should have a ZoneID.
5. What
are the limitations of zone.identifier
“The Alternate Data Stream travels with the
file as it’s copied between NTFS disks, but will be lost if the file is ever
copied to a FAT file system disk (like many USB keys, CDs, etc) that doesn’t
support ADS. If you use Windows Explorer to extract a ZIP file with the MotW
ADS, it will be copied to each file extracted from the archive.” (Reference:
https://blogs.msdn.microsoft.com/ieinternals/2011/03/23/understanding-local-machine-zone-lockdown/)
Didier Stevens wrote a a post about
propagation of ZoneIDs from ISO containers.
For example, if you open an ISO in Win10 and
open the file, the file will not identify that it has come from the Internet
(and I would guess if you copied it out it would not transfer the ZoneID with
it).
Addendum:
MacOS
NTFS Drives
If you save a file to an NTFS drive using the
Tuxera NTFS driver for MacOS you don’t get a ZoneID, but you do get Extended
Attributes.
Program
Execution:
On win8 if a program is executed and smart
screen is displayed, if the user bypasses smartscreen to execute the
application then this will replace the ZoneID with “AppZoneId=4”. This is not
to be confused with “ZoneID=4” which would mean that the file came from a
restricted zone.
I do not have a Win8 system to test this on, and was unable to replicate it on Win10.
I do not have a Win8 system to test this on, and was unable to replicate it on Win10.
This is another execution artefact however.
Removing
ZoneIDs:
If you download an executable from the web you will get a Security Warning. If you deselect the “Always ask before opening this file” then the ZoneID will be removed.
If you download an executable from the web you will get a Security Warning. If you deselect the “Always ask before opening this file” then the ZoneID will be removed.
Alternatively, if you go to the properties of
the executable and select “Unblock” it will also remove the ZoneID.
Lastly, you can use the streams application (https://docs.microsoft.com/en-us/sysinternals/downloads/streams)
by Mark Russinovich to remove ADS’s.
Also Read: Daily Blog #401
Post a Comment