NOTE - The resources needed for this challenge are on the Cyber Defense CTF Triage Workstation VM on our hosted platform.
Find out where the file forest_stream.jpg was downloaded from on the Triage Workstation and you'll have your flag!
This one was really quite easy.
First i just googled what a MOTW means which lead to understanding that it is called mark of the web. Which is a mark that is placed on files downloaded from the web that shows where the download took place.
Then i looked up how to identify this mark and found a powershell command to figure it out.
Get-Content -Path "yourfile.jpg" -Stream "Zone.Identifier"
This lead to the following link and the flag.
Flag = leveleffect{gently_down_the_stream}