Zone.Identifier

Definition


Zone.Identifier is an Alternate Data Stream introduced in Windows XP operating systems that are created alongside files downloaded from the Internet. Windows uses the Zone.Identifier stream to store security information.

Source: Zone Identifier ADSs, Sanderson Forensics: http://www.sandersonforensics.com/Files/ZoneIdentifier.pdf

Introduction


The Zone.Identifier stream generates a security warning pop-up window that asks the user if the file should be opened. The user can delete the Zone.Identifier stream by unchecking the "Always ask before opening this file" box or by checking the properties of the file and clicking the "Unblock" button.

The Zone.Identifier stream can provide information about the origin of files in a file system, but the stream generally has no archival value and does not need to be selected for long-term preservation.

Related terms


  • Alternative Data Stream
  • Bitstream
  • URL

References


Zone Identifier ADSs, Sanderson Forensics: http://www.sandersonforensics.com/Files/ZoneIdentifier.pdf.

Microsoft Developer Network. 5.6.1 Zone.Identifier Stream Name.https://msdn.microsoft.com/en-us/library/dn392609.aspx

http://cyberforensicator.com/2018/06/26/where-did-it-come-from-forensic-analysis-of-zone-identifier/