Zone.Identifier (Mark of the Web)

WindowsFilesystem & TimelineDisk Image

Location

<downloaded_file>:Zone.Identifier (NTFS Alternate Data Stream)

Description

NTFS alternate data stream automatically applied to files downloaded from the internet or received via email. Contains the ZoneId (3 = Internet, 4 = Restricted), ReferrerUrl, and HostUrl identifying the download source.

Forensic Value

Zone.Identifier provides definitive evidence of where a file was downloaded from. The ReferrerUrl field records the webpage that initiated the download, while HostUrl records the actual download server. This directly links a malicious executable to the phishing page or compromised website that delivered it. The ZoneId persists even if the file is moved within the NTFS volume, though it is lost when copied to non-NTFS media or extracted from ZIP archives.

Tools Required

KAPEPowerShell (Get-Content -Stream Zone.Identifier)Autopsystreams (Sysinternals)

Collection Commands

PowerShell

Get-Content -Path "C:\Users\<username>\Downloads\<file>" -Stream Zone.Identifier

streams

streams.exe -s "C:\Users\<username>\Downloads\"

KAPE

kape.exe --tsource C: --tdest C:\output --target ZoneIdentifier

cmd

more < "C:\Users\<username>\Downloads\<file>:Zone.Identifier"

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1566.001T1189T1553.005

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote