Zone identifier ADS.

When a file is downloaded from the internet using Internet Explorer, an additional Alternate Data Stream (ADS) may be created named using the convention:


Where "downloaded-filename" is the name of a downloaded file. This is an alternative data stream file and contains security information which can be used to determine the publisher of the file.

Because it is an alternate data stream it is not normally visible. Its presence can be seen using some tools (such as Microsoft's Process Monitor, or some rootkit identification programs). It is only created on NTFS volumes, and only on Windows systems starting with XP SP2.

The contents of the zone identifier ADS can be viewed by at the command prompt using:

more < downloaded-filename:Zone.Identifier

Substituting the real filename (and path) for "downloaded-filename" in the above.

