Thursday, November 1, 2012

Check if file has been downloaded from Internet

To check this we are using Alternate Data Stream properties of a file.

If file has been downloaded from internet or untrusted zone, windows is adding zone.identifer:$DATA ADS to file.

You can check ADS in files by using dir command or sysinternal streams.exe tool.

dir /r c:\

streams.exe -s c:\users\etanirer

Output Example;


Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\users\etanirer\desktop\C2ADPhotosSetupEN.exe:
   :Zone.Identifier:$DATA       26
c:\users\etanirer\desktop\DeployingWindows7EssentialGuidance.pdf:
   :Zone.Identifier:$DATA       26
c:\users\etanirer\desktop\Siteauth.reg:
   :Zone.Identifier:$DATA       26
c:\users\etanirer\desktop\IPhone45111\Yeni klas÷r\iPhone3,1_5.1.1_9B206_Restore.zip:
   :Zone.Identifier:$DATA       26




No comments:

Post a Comment

 
span.fullpost {display:inline;}