Forensic Analysis of the Zone.Identifier Stream

From digital-detective.net

Windows Powershell Get-Item List Alternate Data Streams

Zone Identifier, ADS and URL Zones

If you are new to the field of digital forensics, you may not be aware of Zone Identifiers, Alternate Data Streams (ADS) or URL Zones. If that is the case, then you have come to the right place. We shall explain all and show you exactly how they can help you during an investigation. First of all, we need to take a look at Alternate Data Streams.

What is an Alternate Data Stream?

As we know, files stored on an NTFS file system can have many different attribute types, these are the building blocks for the file. One of these attributes is $DATA, or simply called the data attribute. It is the part of the file where the actual data is stored. This data stream, sometimes referred to as the primary data stream, or more accurately the unnamed data stream, has no name associated with it. However, the NTFS file system supports multiple data streams, where the stream name identifies a new data attribute of a file. So how do we access these alternate streams?

Read more…