Downloaded Files Information
Overview
Section titled “Overview”Evidence: Downloaded Files Information
Description: Collect information about downloaded files
Category: System
Platform: windows
Short Name: dli
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Windows marks files downloaded from the Internet with Zone Identifier information stored in an Alternate Data Stream (ADS) named Zone.Identifier. This ADS contains metadata about the download including the source URL and referrer.
The Downloads folder is the default location where browsers and other applications save downloaded files. Analyzing these files and their Zone Identifier information can reveal what files were downloaded and from where.
Data Collected
Section titled “Data Collected”This collector gathers structured data about downloaded files information.
Downloaded Files Information Data
Section titled “Downloaded Files Information Data”| Field | Description | Example |
|---|---|---|
ZoneIdentifier | Whether file has Zone Identifier ADS | TRUE |
ZoneIdentifierHostURL | URL where file was downloaded from | https://example.com/malware.exe |
ZoneIdentifierReferrerURL | Referring URL | https://example.com/downloads.html |
Collection Method
Section titled “Collection Method”This collector:
- Searches for all
Users\*\Downloadsfolders - Recursively enumerates all files in Downloads folders
- For each file, reads the
Zone.IdentifierADS if present - Parses the Zone Identifier for HostUrl and ReferrerUrl
- Collects file metadata including hash and signature
Forensic Value
Section titled “Forensic Value”Downloads folder analysis is crucial for identifying malware delivery, phishing attacks, and data exfiltration staging. Investigators use this data to identify malicious downloads, trace download sources and referrers, establish download timelines, detect phishing attack vectors, identify staged exfiltration data, and correlate downloads with browser history and network activity.