launcher Table Request: zone_identifier (Windows)

What is being requested?

A new table called zone_identifier which can be JOINed against the file table to display any corresponding Zone.Identifier data that a file might possess.

This is similar to the extended_attributes table on macOS and Linux, which the file table can be joined against to provide additional metadata about a file, such as its contents and its source of origin.

What is Zone Identifier Information?

On Windows, source of origin for any downloaded file is recorded in a separate sidecar metadata file called Zone.Identifier which is a type of Alternate Data Stream (ADS).

Zone Identifier streams can be viewed by inspecting the contents of a given file-path appended with Zone.Identifier

We can recursively search for streams using the SysInternals tool streams.exe

C:\Users\kolide-lenovo\Downloads\Streams>.\streams64.exe -s C:\Users\kolide-lenovo\Downloads\
streams v1.60 - Reveal NTFS alternate streams.
Copyright (C) 2005-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\Users\kolide-lenovo\Downloads\1Password Emergency Kit.pdf:
   :Zone.Identifier:$DATA       145
C:\Users\kolide-lenovo\Downloads\CheckWindowsSecurityCenter.ps1:
   :Zone.Identifier:$DATA       26
C:\Users\kolide-lenovo\Downloads\Firefox Installer (1).exe:
   :Zone.Identifier:$DATA       208
C:\Users\kolide-lenovo\Downloads\wmiexplorer.zip:
   :Zone.Identifier:$DATA       135
C:\Users\kolide-lenovo\Downloads\kolide-launcher(1)(1).msi:
   :Zone.Identifier:$DATA       693

The contents of a Zone.Identifier file look like the following:

[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://www.ks-soft.net/hostmon.eng/downpage.htm
HostUrl=https://www.ks-soft.net/download/wmiexplorer.zip

We can see that this stream is a file containing a section [ZoneTransfer], in which a transfer zone ID (ZoneId) is specified. (These are the security zones that can be found in IE settings.) The transfer zone ID can contain one of the five values from 0 to 4. For more information refer to Microsoft Documentation Portal: Zone Identifiers

ZoneId=0: Local machine
ZoneId=1: Local intranet
ZoneId=2: Trusted sites
ZoneId=3: Internet
ZoneId=4: Restricted sites

Likewise we can see multiple potential values are stored alongside this ZoneID such as:

ReferrerUrl
HostUrl
HostIpAddress
LastWriterPackageFamilyName

What is the utility of this data?

If you were engaged in a forensics or IR scenario wherein you wished to identify the source of a given piece of downloaded malware, the zone.identifier ADS file could potentially store the quarantine information for that download.

Proposed Osquery Implementation

I think this data would be best suited to the EAV format approach with the following output for example:

SELECT * FROM zone_identifiers WHERE path = 'C:\Users\kolide-lenovo\Downloads\wmiexplorer.zip'

+--------------------------------------------------+----------------+-------------+--------------------------------------------------+
| path                                             | key            | subkey      | value                                            |
+--------------------------------------------------+----------------+-------------+--------------------------------------------------+
| C:\Users\kolide-lenovo\Downloads\wmiexplorer.zip | [ZoneTransfer] | ZoneId      | 3                                                |
| C:\Users\kolide-lenovo\Downloads\wmiexplorer.zip | [ZoneTransfer] | ReferrerUrl | https://www.ks-soft.net/hostmon.eng/downpage.htm |
| C:\Users\kolide-lenovo\Downloads\wmiexplorer.zip | [ZoneTransfer] | HostUrl     | https://www.ks-soft.net/download/wmiexplorer.zip |
+--------------------------------------------------+----------------+-------------+--------------------------------------------------+