Something else which stood out when analysing the file systems after content had been added was the block below. This block was found in both ReFS and NTFS, but could not be found on the FAT32 file system. This is because FAT does not support security descriptors (Microsoft, n.d.e).
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
000780560 B8 00 00 00 10 00 5E 00 00 00 70 00 48 00 00 00 30 00 02
00 53 00 2D 00 31 00 2D 00 35 00 2D 00 ¸.....^...p.H...0...S.-.1.-.5.-.
000780580 32 00 31 00 2D 00 31 00 35 00 37 00 37 00 36 00 39 00 30
00 31 00 38 00 35 00 2D 00 31 00 39 00 2.1.-.1.5.7.7.6.9.0.1.8.5.-.1.9.
0007805A0 38 00 32 00 30 00 30 00 32 00 39 00 35 00 38 00 2D 00 33
00 32 00 35 00 31 00 33 00 31 00 38 00 8.2.0.0.2.9.5.8.-.3.2.5.1.3.1.8.
0007805C0 30 00 36 00 2D 00 31 00 30 00 30 00 31 00 00 00 02 07 00
00 00 00 00 00 00 00 00 00 00 00 00 00 0.6.-.1.0.0.1...................
The block shown above is taken from the ReFS drive, but is identical on the NTFS drive and on each ReFS drive with various modifications. It wasn't found on any of the drives before content was added.
After extracting the Security Identifier string, removing all the zero bytes, it looks like this: S-1-5-21-1577690185-1982002958-325131806-1001
The table below identifies what each part means (with matching colours). It uses information from Carpio (2012) and Microsoft (n.d.f).
Value |
Meaning |
S |
Identifies that the following string of digits is an Security Identifier |
1 |
Revision 1 |
5 |
"SECURITY_NT_AUTHORITY" -
identifier authority (the entity which issues the SID) |
21 |
"SECURITY_NT_NON_UNIQUE" - The value 21 is used when created by the local machine |
1577690185-1982002958-325131806 |
The domain ID |
1001 |
Relative Identifier (RID) |
The Security Identifier from the NTFS drive after "hellofolder" was added to the file system is shown below, using the same colours as above for highlighting relevant parts of the identifier.
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F
040109560 25 00 00 00 00 00 01 00 CD 0B BE 46 7D 2B D0 01 4C D3 EB
46 7D 2B D0 01 4C D3 EB 46 7D 2B D0 01 %........¾F}+Ɖ.LÓËF}+Ɖ.LÓËF}+Ɖ.
040109580 4C D3 EB 46 7D 2B D0 01 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 06 00 00 10 00 00 00 00 LÓËF}+Ɖ.........................
0401095A0 2D 00 53 00 2D 00 31 00 2D
00 35 00 2D 00 32 00 31 00 2D 00 31 00 35 00 37 00 37 00 36 00 39 00 -.S.-.1.-.5.-.2.1.-.1.5.7.7.6.9.
0401095C0 30 00 31 00 38 00 35 00
2D 00 31 00 39 00 38 00 32 00 30 00 30 00 32 00 39 00 35 00 38 00 2D 00 0.1.8.5.-.1.9.8.2.0.0.2.9.5.8.-.
0401095E0 33 00 32 00 35 00 31 00
33 00 31 00 38 00 30 00 36 00 2D 00 31 00 30 00 30 00 31 00 00
00 03 00 3.2.5.1.3.1.8.0.6.-.1.0.0.1.....
040109600 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00 FF FF FF FF
82 79 47 11 00 00 00 00 00 00 00 00 ................ŸŸŸŸyG.........