Did you notice this utter bullshit about Zone.Identifier files in the video?
I couldn’t believe my ears when Narrator talked about them being “potentially downloaded or copied over the network share”.
What a crap!
I can’t either beileve that the authors of this video are not aware what Alternate Data Streams are and how and when MS Windows creates Zone.Identifier ADS for the downloaded files.
Is it some kind of a marker that we do listen?
No, not crap.
That is not the only use of ADS to be sure, but it is an accurate statement. Hackers hide tools there too. You can add any data as an ADS with the basic Windows command line, and ADS was featured in a recent forensics challenge. Autopsy and the underlying Sleuthkit tools made short work of the challenge.
1 Like
John_Lehr, thank you, but your reply is kinda useless.
I’m well aware what ADS are and how one can abuse them.
The narrator says: “…if you want to go to where that file was downloaded to, you can right click and you can say “view file in directory” and that will bring you to the current location and show you that file in it’s downloaded location”
The table on the next screenshot is different from the one on the previous screenshot, so I concluded that it IS the downloaded location (I’m not THAT familiar with the autopsy interface).
The narrator says: “as you can see here in the same view we have also parsed zone.identifier files which also files that are potentially downloaded or copied into…”
This is an extremely confusing statement on intself. There is no mentioning that zone.identifier is the metadata linked to a file and the narrator carelessly talks about them as if they were separate files that could be moved.
Throw the “downloaded location” into this boiler and you will get, why I called bullshit.