SecureArtisan

My Road to Digital Forensics Excellence

«
»

$Secure Streams and Descriptors

Posted by Paul Bobby on March 29, 2010

I was reading through some of the documentation at linux-ntfs.org trying to get a handle on Access Control Entries, or ACE. The easiest way for me to process this data was by walking through a test scenario. So I took a 2gig thumb drive, formatted it NTFS and created a non-resident text file called ‘test.txt’.

I parsed out the Standard Information Attribute:

image

Search for the Security ID in the $Secure:$SII stream

image

Go to the offset, 960, in the $Secure:$SDS stream

image

The following code from the Linux NTFS documentation site describes the details of the Access Control Entry mask.

image

About these ads

This entry was posted on March 29, 2010 at 6:49 pm and is filed under Forensics, General Research. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

«
»
 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: