AbstractIntroductionMethodologyInitial ComparisonReFS MBRReFS VBRFSRSMACE TimesReFS Metadata BlockReFS MFTReFS Folder Naming ProcessDrive LabelsRecycle BinDesktop.ini FileSecurity IdentifierFolder Analysis.doc Analysis.txt Analysis.exe AnalysisReferencesAboutMisc ForensicsCPU Reballing Stencils

Security Identifier

Something else which stood out when analysing the file systems after content had been added was the block below. This block was found in both ReFS and NTFS, but could not be found on the FAT32 file system. This is because FAT does not support security descriptors (Microsoft, n.d.e).

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000780560  B8 00 00 00 10 00 5E 00 00 00 70 00 48 00 00 00 30 00 02 00 53 00 2D 00 31 00 2D 00 35 00 2D 00  ¸.....^...p.H...0...S.-.1.-.5.-.

000780580  32 00 31 00 2D 00 31 00 35 00 37 00 37 00 36 00 39 00 30 00 31 00 38 00 35 00 2D 00 31 00 39 00  2.1.-.1.5.7.7.6.9.0.1.8.5.-.1.9.

0007805A0  38 00 32 00 30 00 30 00 32 00 39 00 35 00 38 00 2D 00 33 00 32 00 35 00 31 00 33 00 31 00 38 00  8.2.0.0.2.9.5.8.-.3.2.5.1.3.1.8.

0007805C0  30 00 36 00 2D 00 31 00 30 00 30 00 31 00 00 00 02 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00  0.6.-.1.0.0.1...................

 

The block shown above is taken from the ReFS drive, but is identical on the NTFS drive and on each ReFS drive with various modifications. It wasn't found on any of the drives before content was added.

After extracting the Security Identifier string, removing all the zero bytes, it looks like this: S-1-5-21-1577690185-1982002958-325131806-1001

The table below identifies what each part means (with matching colours). It uses information from Carpio (2012) and Microsoft (n.d.f).  

Value

Meaning

S

Identifies that the following string of digits is an Security Identifier

1

Revision 1

5

"SECURITY_NT_AUTHORITY" - identifier authority (the entity which issues the SID)

21

"SECURITY_NT_NON_UNIQUE" - The value 21 is used when created by the local machine

1577690185-1982002958-325131806

The domain ID

1001

Relative Identifier (RID)

 

The Security Identifier from the NTFS drive after "hellofolder" was added to the file system is shown below, using the same colours as above for highlighting relevant parts of the identifier.  

Offset(h)  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

040109560  25 00 00 00 00 00 01 00 CD 0B BE 46 7D 2B D0 01 4C D3 EB 46 7D 2B D0 01 4C D3 EB 46 7D 2B D0 01  %.......˜.¾F}+Ɖ.LÓËF}+Ɖ.LÓËF}+Ɖ.

040109580  4C D3 EB 46 7D 2B D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 10 00 00 00 00  LÓËF}+Ɖ.........................

0401095A0  2D 00 53 00 2D 00 31 00 2D 00 35 00 2D 00 32 00 31 00 2D 00 31 00 35 00 37 00 37 00 36 00 39 00  -.S.-.1.-.5.-.2.1.-.1.5.7.7.6.9.

0401095C0  30 00 31 00 38 00 35 00 2D 00 31 00 39 00 38 00 32 00 30 00 30 00 32 00 39 00 35 00 38 00 2D 00  0.1.8.5.-.1.9.8.2.0.0.2.9.5.8.-.

0401095E0  33 00 32 00 35 00 31 00 33 00 31 00 38 00 30 00 36 00 2D 00 31 00 30 00 30 00 31 00 00 00 03 00  3.2.5.1.3.1.8.0.6.-.1.0.0.1.....

040109600  00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00 FF FF FF FF 82 79 47 11 00 00 00 00 00 00 00 00  ................ŸŸŸŸ‚yG.........