Downloaded Files Information

Overview

Evidence: Downloaded Files Information Description: Collect Information About Downloaded Files Category: System Platform: Windows Short Name: dli Is Parsed: Yes - File information and Zone Identifier data extracted Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows marks files downloaded from the Internet with Zone Identifier information stored in an Alternate Data Stream (ADS) named Zone.Identifier. This ADS contains metadata about the download including the source URL and referrer.

The Downloads folder is the default location where browsers and other applications save downloaded files. Analyzing these files and their Zone Identifier information can reveal what files were downloaded and from where.

Data Collected

Collection Method

This collector:

• Searches for all Users\*\Downloads folders

• Recursively enumerates all files in Downloads folders

• For each file, reads the Zone.Identifier ADS if present

• Parses the Zone Identifier for HostUrl and ReferrerUrl

• Collects file metadata including hash and signature

Usage

Downloads folder analysis is crucial for identifying malware delivery, phishing attacks, and data exfiltration staging. Investigators use this data to identify malicious downloads, trace download sources and referrers, establish download timelines, detect phishing attack vectors, identify staged exfiltration data, and correlate downloads with browser history and network activity.

Known Limitations

• Zone Identifier can be removed by users or tools

• Some download methods don't create Zone Identifier

• Users may download to non-default locations

• Zone Identifier is lost when files are copied (not moved)

Notes

Zone Identifier information is stored in an ADS named Zone.Identifier and can be viewed with notepad Zone.Identifier or similar tools. The presence of Zone Identifier indicates the file was downloaded from the Internet or another zone.