Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / DFI / ARTEFACT / WINDOWS / FILE SYSTEM

Zone.Identifier

# Get
Get-Item * -Stream Zone.Identifier -ErrorAction SilentlyContinue

# Read
Get-Content * -Stream Zone.Identifier -ErrorAction SilentlyContinue

It helps answer:

  • Was the file downloaded?
  • From where?
  • Via which URL?
  • Did user click something?
  • Was it copied internally instead?

Zone IDs Meaning

ZoneIdMeaning
0Local Machine
1Local Intranet
2Trusted Sites
3Internet
4Restricted