Thursday, November 1, 2012

Check if file has been downloaded from Internet

To check this we are using Alternate Data Stream properties of a file.

If file has been downloaded from internet or untrusted zone, windows is adding zone.identifer:$DATA ADS to file.

You can check ADS in files by using dir command or sysinternal streams.exe tool.

dir /r c:\

streams.exe -s c:\users\etanirer

Output Example;

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals -
   :Zone.Identifier:$DATA       26
   :Zone.Identifier:$DATA       26
   :Zone.Identifier:$DATA       26
c:\users\etanirer\desktop\IPhone45111\Yeni klas÷r\iPhone3,
   :Zone.Identifier:$DATA       26

No comments:

Post a Comment

span.fullpost {display:inline;}