Exploring Security Identifiers

Each user, group, and machine in a Windows environment are assigned a security identifier. The SID is a unique identifier in that no two SIDs are the same. Windows grants or denies access and privileges to system objects based on access control lists (ACLs), which in turn use the SID as a means of identifying users, groups, and machines, since each has its own unique SID (Figure 9-36).

We have previously referred to SIDs and, in this chapter, we have made specific reference to identifying a user’s restore point NTUSER.DAT file by the user’s SID number. We’ll discuss how that is done in this section, but first let’s examine an SID and demystify that obscure set of letters and numbers. Figure 9-24 shows an SID number ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.