My Road to Digital Forensics Excellence

$Secure Streams and Descriptors

Posted by Paul Bobby on March 29, 2010

I was reading through some of the documentation at trying to get a handle on Access Control Entries, or ACE. The easiest way for me to process this data was by walking through a test scenario. So I took a 2gig thumb drive, formatted it NTFS and created a non-resident text file called ‘test.txt’.

I parsed out the Standard Information Attribute:


Search for the Security ID in the $Secure:$SII stream


Go to the offset, 960, in the $Secure:$SDS stream


The following code from the Linux NTFS documentation site describes the details of the Access Control Entry mask.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: