$Secure:$SDS

Overview

Evidence: $Secure:$SDS Description: Dump Contents of $Secure:$SDS Category: DiskFilesystem Platform: windows Short Name: securesds Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

The $Secure file contains security descriptors for all files and directories on the NTFS volume. These descriptors include access control lists (ACLs), ownership information, and audit settings. The $SDS alternate data stream stores the actual security descriptor data, which is referenced by file entries to avoid duplication.

Data Collected

This collector gathers structured data about $secure:$sds.

$Secure:$SDS Data

Field

Description

Example

Type

File type

SecureSDS

Name

File name

$Secure:$SDS

SourcePath

Original path

C:$Secure:$SDS

FilePath

Path in evidence

NTFSFiles/$Secure_$SDS

FileSize

File size in bytes

10485760

Collection Method

This collector uses kernel driver NTFS raw access to read $Secure:$SDS from each fixed NTFS drive.

Forensic Value

Security descriptors provide critical information about file permissions, ownership, and access control. This data can reveal unauthorized access, privilege escalation attempts, and security policy violations. Essential for investigating insider threats and understanding who had access to sensitive files.

Previous$LogFile Next$TxfLog $Tops:$T

Last updated 2 days ago

Was this helpful?