Exploring Security Identifiers

Each user, group, and machine in a Windows environment are assigned a security identifier. The SID is a unique identifier in that no two SIDs are the same. Windows grants or denies access and privileges to system objects based on access control lists (ACLs), which in turn use the SID as a means of identifying users, groups, and machines, since each has its own unique SID (Figure 9-36).

We have previously referred to SIDs and, in this chapter, we have made specific reference to identifying a user’s restore point NTUSER.DAT file by the user’s SID number. We’ll discuss how that is done in this section, but first let’s examine an SID and demystify that obscure set of letters and numbers. Figure 9-24 shows an SID number ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Windows Network Forensics and Investigation, 2nd Edition by

Exploring Security Identifiers

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly