Zone.Identifier (Mark of the Web)

windowsFilesystem & TimelineDisk Image

Location

<downloaded_file>:Zone.Identifier (NTFS Alternate Data Stream)

Description

NTFS alternate data stream automatically applied to files downloaded from the internet or received via email. Contains the ZoneId (3 = Internet, 4 = Restricted), ReferrerUrl, and HostUrl identifying the download source.

Forensic Value

Zone.Identifier provides definitive evidence of where a file was downloaded from. The ReferrerUrl field records the webpage that initiated the download, while HostUrl records the actual download server. This directly links a malicious executable to the phishing page or compromised website that delivered it. The ZoneId persists even if the file is moved within the NTFS volume, though it is lost when copied to non-NTFS media or extracted from ZIP archives.

Tools Required

KAPEPowerShell (Get-Content -Stream Zone.Identifier)Autopsystreams (Sysinternals)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical