Downloaded Files Information

Overview

Evidence: Downloaded Files Information Description: Collect information about downloaded files Category: System Platform: windows Short Name: dli Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows marks files downloaded from the Internet with Zone Identifier information stored in an Alternate Data Stream (ADS) named Zone.Identifier. This ADS contains metadata about the download including the source URL and referrer.

The Downloads folder is the default location where browsers and other applications save downloaded files. Analyzing these files and their Zone Identifier information can reveal what files were downloaded and from where.

Data Collected

This collector gathers structured data about downloaded files information.

Downloaded Files Information Data

Field

Description

Example

ZoneIdentifier

Whether file has Zone Identifier ADS

TRUE

ZoneIdentifierHostURL

URL where file was downloaded from

https://example.com/malware.exe

ZoneIdentifierReferrerURL

Referring URL

https://example.com/downloads.html

Collection Method

This collector:

Searches for all Users\*\Downloads folders
Recursively enumerates all files in Downloads folders
For each file, reads the Zone.Identifier ADS if present
Parses the Zone Identifier for HostUrl and ReferrerUrl
Collects file metadata including hash and signature

Forensic Value

Downloads folder analysis is crucial for identifying malware delivery, phishing attacks, and data exfiltration staging. Investigators use this data to identify malicious downloads, trace download sources and referrers, establish download timelines, detect phishing attack vectors, identify staged exfiltration data, and correlate downloads with browser history and network activity.

PreviousDocker Volumes NextDriver Objects

Last updated 3 days ago

Was this helpful?