Do you have forgotten files on your computer that you can't remember where you downloaded them from? Even their name doesn't mean anything to you? Here are three ways to discover their source.
You may have downloaded a file months or even years ago and don't remember where you downloaded it from. You can find it by simply reading the Alternate Data Streams file.
FYI, when you download a file and save it to an NTFS volume, information about the file is stored in NTFS alternate data streams (ADS).
The alternate data streams contain the ZoneID, HostUrlAnd ReferrerUrl.
Table of Contents
What is Alternate Data Streams
Alternate Data Streams (ADS) is a file attribute found only in the NTFS file system.
In the NTFS system, when a file is created, it also contains some attributes, one of which is the $Data, or data attribute. It just contains a text inside the file.
Normally these data streams are empty (“”). Anything written in there is considered alternative information.
This data information has a bad reputation since it has been used to write hidden data. Any discrepancy in data unrelated to where a file came from is considered malware (eg Backdoor.Rustock.A)
Determine if ADSs are present
The ADS information will be intact unless you use the “unblock” option in the file properties or move it to a FAT32 system.
To see if there is any information open the Command Prompt and navigate to the folder containing the file you are interested in. There run the command:
dir /r
If the directory listing displays the Zone.Identifier:$DATA in a file, this means that the ZoneID for that file is intact.
If you see it size only 50 bytes then it essentially contains no important information. If it has a bigger size then everything you want to know is in there!.
To read the fields ZoneID, HostUrlAnd ReferrerUrl in this file, use one of the following methods.
Using the notebook
In our example to read the Zone ID for the file “03_ACCESSIBILITY_22.pdf”, write the following:
notepad 03_ACCESSIBILITY_22.pdf:Zone.Identifier
There you will see ZoneId, ReferrerUrl, and HostUrl.
Note that in all three solutions, if the file name has spaces then you need to put trailing words in it, like for example :
notepad "MOBILE INTERACTION DESIGN.pdf:Zone.Identifier"
Using the more command
In the Command Line write the following command:
more < 03_ACCESSIBILITY_22.pdf:Zone.Identifier
The above command displays the required information on the console screen itself.
Using PowerShell
You can also view the ZoneID information with PowerShell.
Change to the directory containing the file, then run:
get-content -path "03_ACCESSIBILITY_22.pdf" -stream zone.identifier
The “ZoneID” value can be 2, 3, or 4. Internet zone is “2”, Intranet zone is “3”, and Restricted sites is 4.
“HostUrl” is the direct download from where the file was downloaded.
“ReferrerUrl” is the referrer page from where you clicked the download link.