Back to binalyze.com

$Secure:$SDS

Overview

Evidence: $Secure:$SDS Description: Dump Contents of $Secure:$SDS Category: NTFS Platform: Windows Short Name: securesds Is Parsed: No - Raw security descriptor stream Sent to Investigation Hub: Yes Collect File(s): No

Background

The $Secure file contains security descriptors for all files and folders on an NTFS volume. The $SDS alternate data stream contains the actual security descriptor data indexed by security ID.

Security descriptors include file permissions (ACLs), owner information, and audit settings. This data is centralized in $Secure to save space when multiple files share the same permissions.

Data Collected

Field
Description
Example

Type

File type

SecureSDS

Name

File name

$Secure:$SDS

SourcePath

Original path

C:$Secure:$SDS

FilePath

Path in evidence

NTFSFiles/$Secure_$SDS

FileSize

File size in bytes

10485760

Collection Method

This collector uses kernel driver to read the $Secure:$SDS alternate data stream.

Usage

Security descriptor analysis helps understand file permissions and detect ACL manipulation. Investigators use this data to analyze file and folder permissions, detect unauthorized permission changes, track administrative access control, and investigate privilege escalation.

Known Limitations

  • Only available on NTFS volumes

  • Requires specialized tools to parse

  • Security descriptor format is complex

  • Must correlate with MFT for file associations

Notes

Security descriptors are referenced by Security ID in MFT entries. The $Secure file centralizes these descriptors to avoid duplication.

Previous$LogFileNext$TxfLog $Tops:$T

Last updated

Was this helpful?