$Secure:$SDS
Overview
Section titled “Overview”Evidence: $Secure:$SDS
Description: Dump Contents of $Secure:$SDS
Category: DiskFilesystem
Platform: windows
Short Name: securesds
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”The $Secure file contains security descriptors for all files and directories on the NTFS volume. These descriptors include access control lists (ACLs), ownership information, and audit settings. The $SDS alternate data stream stores the actual security descriptor data, which is referenced by file entries to avoid duplication.
Data Collected
Section titled “Data Collected”This collector gathers structured data about $secure:$sds.
$Secure:$SDS Data
Section titled “$Secure:$SDS Data”| Field | Description | Example |
|---|---|---|
Type | File type | SecureSDS |
Name | File name | $Secure:$SDS |
SourcePath | Original path | C:$Secure:$SDS |
FilePath | Path in evidence | NTFSFiles/$Secure_$SDS |
FileSize | File size in bytes | 10485760 |
Collection Method
Section titled “Collection Method”This collector uses kernel driver NTFS raw access to read $Secure:$SDS from each fixed NTFS drive.
Forensic Value
Section titled “Forensic Value”Security descriptors provide critical information about file permissions, ownership, and access control. This data can reveal unauthorized access, privilege escalation attempts, and security policy violations. Essential for investigating insider threats and understanding who had access to sensitive files.