SecureArtisan

My Road to Digital Forensics Excellence

$Secure Streams and Descriptors

Posted by Paul Bobby on March 29, 2010

I was reading through some of the documentation at linux-ntfs.org trying to get a handle on Access Control Entries, or ACE. The easiest way for me to process this data was by walking through a test scenario. So I took a 2gig thumb drive, formatted it NTFS and created a non-resident text file called ‘test.txt’.

I parsed out the Standard Information Attribute:

image

Search for the Security ID in the $Secure:$SII stream

image

Go to the offset, 960, in the $Secure:$SDS stream

image

The following code from the Linux NTFS documentation site describes the details of the Access Control Entry mask.

image

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: