Zone Identifiers are an artifact that reside in alternate data streams within an NTFS volume. This artifact is used to determine the origins of a file on a disk.
Note
In Windows XP, only executable files will be tagged with a Zone Identifier. Later operating systems will tag all files.
- File - Creation
- File - Origin
- Windows 11
- Windows 10
- Windows 8
- Windows 7
- Windows Vista
- Windows XP
This artifact is present in an alternate data stream (ADS) of the file of interest for analysis.
- FTK Imager
- KAPE
- MFTEcmd
The following Zone IDs are available:
| Zone ID | Description |
|---|---|
| -1 | No Zone |
| 0 | My Computer |
| 1 | Intranet |
| 2 | Trusted |
| 3 | Internet (AKA Mark of the Web) |
| 4 | Untrusted |
A Zone Identifier of 4 indicates that Microsoft SmartScreen has determined a file is suspicious.
As an example, a Zone.Identifier file may look like this:
[ZoneTransfer]
ZoneId=3
ReferrerUrl=http:https://example.com/example.exe
HostUrl=http:https://example.com/example.exe
In this example, in addition to the Zone Identifier being present, the associated URLs are also noted as well. This behavior is dependent on the application used to download the file. Browsers such as Chrome and Microsoft Edge will append this information to the Zone.Identifier file.
Important
Some software does not assign Zone Identifiers to files that originate from the internet, such as git. Other software, such as 7zip, may or may not assign Zone Identifiers.