Time
4 hours 15 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:01
Hi. Welcome back in the previous morning. We're going over some tools for collecting and analyzing memory Don't science. We analyze where the different techniques they're our intention disadvantage as well as how can we generate our own memory down fries? You sending their official lottery windows
00:17
now in this muscle, we're going to learn about one of the windows. Forensic essentials, security and the fires are excited. He's the definition. On what information can we fire from them?
00:29
A security anti fire commonly abbreviated US s I. D. Is a unique value off variable land used to identify a trustee which can be a user, a group, a level session or other security principle.
00:43
A security principal has a single s ivy for life in a given domain on all properties of the principal, including this name are associated with S i D.
00:53
Each time a user looks on this history to east the S i d for that user from the dynamics and places it in the access talking for that user.
01:02
The system uses the S I. D. Index is talking to identified the user in all subservient interactions with no security.
01:10
When a security identifier has been used as a unique identifier for a user group group. He cannot ever be used again to identify and or user or group. The really contains information about user rights and privileges settings on any other information that is specific to that particular user
01:27
on again is a useful piece off information for forensic analysis.
01:33
It is variable. Lend on. Inconsiderate is the heretical notion off issue on my identifier.
01:38
It consists off a six bite identify out already feels that is followed by 1 to 14 30 to beat some authority values on ends in a single Tito beat relative identify or R i z
01:53
When this place testily there said to form Is this funny here? Where are you On our little strings then defy authority is the six bite value someone threw soup and our days of authority values on our i d Is that ready? Ivy, which identifies the type office i d.
02:12
The combination off the anti fire authority value on this authority values
02:15
issues that no clues s ID's will be the same given its different aside, aviation authorities issue the same combination off already values is s aviation authority issues are given our I d on the once
02:32
in the structure Then defying authority is under great off Six Bites, which describes which systems owns the ex I. D.
02:40
Windows anti defines six identify authorities which are the new aside, The authority which is used to hold the new account s A D or esque Wannsee syrup
02:53
the world s I, the authority which is used for the everyone group. There's only one s a D in that group that is s one while zero
03:02
The local aside, the authority is used for the local group again There is only one s i d in this group on it is s 1 to 0
03:12
the security creator. They say the authority is responsible for the creator owner Clear Group here Owner Server on Clearer Group You can identify which this ivy belongs to this category because they have the number three in the identify authority shield.
03:30
The value of four corresponds to a security known unique authority which is not used by Windows NT.
03:38
The value five corresponds to security anti authority, which is Christ accounts that are managed by the anti sub security subsystem
03:47
on which parent, if an authority value nine. We have the Resource Manager authority, which is all the excuse for two parties. Source manages.
03:57
We know salute case. Our ID's starting at 1000.
04:01
Our idea is having a value. Less than 1000 are considered reserved on are used for special accounts. For example, all Windows counts with our ivy off. 500 are considered Boutin administrator accounts in their respective issue. Authorities.
04:18
Well known security of the fires or society's identify generally groups on generic users. The following are some universal well known aside, these
04:29
we have the newly s I D with value s 100
04:33
on Identifies a group with your members. This is Austin used when I say the value is not known.
04:41
The world's security identifier with Valley s 110 identifies a group that includes all user even on only most user strung guests. Membership is controlled by the operating system The local security anti fire with Val US wanted. Ciro identifies users
04:59
who's going to turn me off locally
05:01
on our physically connected system.
05:03
The clear owner I d identified with the values s 130 is our secure identifier to be replaced by the security identifier off the user who created a new object. This s I D. Is used in heritable access control entries.
05:20
The creator group Ivy with a value off s 131 is a security anti fire to be replaced by the primary group s ivy off the user who created a new object.
05:33
Most applications never need to work with us ID's because the names off, well known as ideas, come very. It is recommended to use the functions to build the S i d. From predefined Costin's rather than using the name off the well known secured a desire. For example, in the United States, the English versions, the windows operating assisting
05:54
has ah, will numb s i d named beauty. Now, Mr that might have a different name for international versions off the system.
06:02
Okay, here's a quick question for you. Based on the anti fire authority value, Which of the following Exide's correspond to users who logo home terminus vocally physically connected to a system it is a S 100 or B s 110 or C s 120 or the S 1 to 0
06:23
is. You said see, you're correct. the interface authority with value to this local. And it's used for the local group. There's only one S i D in that group on Edie's s 1 to 0.
06:36
We have analyzed Securitate if IRS is for insurance structure and we also know some well known security identifiers such as the new S I D. For a group with no members on the war s I D. Which includes all you searched in the system.
06:51
Don't forget to check the references. A supplementary material for more information on their sides. On in the next morning, we're going to start the system registry on this heist. You will know what are those highs on why they are useful in a forensic investigation.

Up Next

Windows Forensics and Tools

The Windows Forensics and Tools course focuses on building digital forensics knowledge of Microsoft Windows operating systems, as well as some compatible software or tools that can be used to obtain or process information in such systems.

Instructed By

Instructor Profile Image
Adalberto Jose Garcia
Information Security Analyst at Bigazi
Instructor