Live Discover Query + Response in combination for file source investigation

  REVIEWED by Sophos 

I'm not aware that the current version of Live Query at least on Windows can obtain the equivalent of extended attributes of a file. That said, if you see a file you would like some more information on, i.e. the download source of the file, in this case "C:\users\jak\downloads\Autoruns.exe", from Live Query, you could run:

select size from file where path='C:\users\jak\downloads\Autoruns.exe:Zone.Identifier';

Here, using the 'file' table we can access other streams of the file on NTFS. In this case we are getting the 'size' of the stream named 'Zone.Identifier'. If the size comes back as > 0 or essentially this returns a result, then we know the file was most likely downloaded via a browser on this device as this stream is added to store a few attributes about the file. 

This meta data can be seen using the get-content (gc alias) cmdlet of PowerShell.  For example, via Live Response, you could run:

gc -Stream Zone.Identifier -Path .\Autoruns.exe

This might return something like:

[ZoneTransfer]
ZoneId=3
ReferrerUrl=http://live.sysinternals.com/Autoruns.exe
HostUrl=http://live.sysinternals.com/Autoruns.exe

Where:

0 = "Local machine"
1 = "Local intranet"
2 = "Trusted sites"
3 = "Internet"
4 = "Restricted sites"

This shows that the file in question was downloaded from live.sysinternals.com deemed to be from the Internet zone for this device as you might expect. 

Note: Not all browsers record all of this, see: https://www.hecfblog.com/2018/06/daily-blog-402-solution-saturday-62318.html for information as a guide.

Of course, this meta data in this stream:

  • Could be removed.
    • This can be done via Explorer if you unblock the file on the Properties - General page.
    • Using the PowerShell cmdlet, e.g. Unblock-File .\Autoruns.exe 
  • Could be updated with false information but that seems unlikely.

Hope it's interesting.

Jak