See where you downloaded a file from

Do you have forgotten files on your computer that you can't remember where you downloaded them from? Even their name doesn't mean anything to you? Here are three ways to discover their source.

windows ntfs metadata 2

You may have downloaded a file months or even years ago and don't remember where you downloaded it from. You can find it by simply reading the Alternate Data Streams file.

FYI, when you download a file and save it to an NTFS volume, information about the file is stored in NTFS alternate data streams (ADS).

The alternate data streams contain the ZoneID, HostUrlAnd ReferrerUrl.

What is Alternate Data Streams

Alternate Data Streams (ADS) is a file attribute found only in the NTFS file system.

In the NTFS system, when a file is created, it also contains some attributes, one of which is the $Data, or data attribute. It just contains a text inside the file.

Normally these data streams are empty (“”). Anything written in there is considered alternative information.

This data information has a bad reputation since it has been used to write hidden data. Any discrepancy in data unrelated to where a file came from is considered malware (eg Backdoor.Rustock.A)

Determine if ADSs are present

The ADS information will be intact unless you use the “unblock” option in the file properties or move it to a FAT32 system.

To see if there is any information open the Command Prompt and navigate to the folder containing the file you are interested in. There run the command:
dir /r

windows ntfs metadata 1

If the directory listing displays the Zone.Identifier:$DATA in a file, this means that the ZoneID for that file is intact.

If you see it size only 50 bytes then it essentially contains no important information. If it has a bigger size then everything you want to know is in there!.

To read the fields ZoneID, HostUrlAnd ReferrerUrl in this file, use one of the following methods.

Using the notebook

In our example to read the Zone ID for the file “03_ACCESSIBILITY_22.pdf”, write the following:

notepad 03_ACCESSIBILITY_22.pdf:Zone.Identifier

windows ntfs metadata 2

There you will see ZoneId, ReferrerUrl, and HostUrl.

Note that in all three solutions, if the file name has spaces then you need to put trailing words in it, like for example :
notepad "MOBILE INTERACTION DESIGN.pdf:Zone.Identifier"

Using the more command

In the Command Line write the following command:

more < 03_ACCESSIBILITY_22.pdf:Zone.Identifier

windows ntfs metadata 3

The above command displays the required information on the console screen itself.

Using PowerShell

You can also view the ZoneID information with PowerShell.

Change to the directory containing the file, then run:
get-content -path "03_ACCESSIBILITY_22.pdf" -stream zone.identifier

windows ntfs metadata 4

The “ZoneID” value can be 2, 3, or 4. Internet zone is “2”, Intranet zone is “3”, and Restricted sites is 4.

“HostUrl” is the direct download from where the file was downloaded.

“ReferrerUrl” is the referrer page from where you clicked the download link.

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).