Avsnitt Course 36 - Windows Forensics and Tools | Episode 5: Structure and Forensic Significance CyberCode Academy Spela Dela
In this lesson, you’ll learn about: Windows Security Identifiers (SIDs) and user tracking1. What is a Security Identifier (SID)? A SID (Security Identifier) is a unique value assigned to every:UserGroupSecurity principal (system accounts, services) 🔹 Core Idea It acts like a permanent digital fingerprint in WindowsUsed internally instead of usernames 👉 Key Property: A SID is never reused, even if the account is deleted 2. Why SIDs Exist Windows needs a stable way to identify identitiesUsernames can changeSIDs cannot 🔹 Example Use Permissions are assigned to SIDs, not namesAccess control checks rely on SID matching 3. SID in Access Tokens🔹 What happens at login? Windows creates an access tokenThis token contains:User SIDGroup SIDsPrivileges 👉 Key Insight: Every process inherits this tokenThis determines what the user can do 4. Structure of a SIDA SID is not random—it has a strict format:🔹 Main Components Identifier AuthoritySub-authority valuesRelative Identifier (RID) 5. SID Breakdown Explained🔹 Identifier Authority Defines the system or domain originExample:Local machineDomain controller 🔹 Sub-authorities Represent hierarchical security structureProvide organizational uniqueness 🔹 Relative Identifier (RID) The most specific partIdentifies the actual account 6. Important RID Examples🔹 Common Built-in Accounts 500 → Built-in Administrator501 → Guest account512 → Domain Admins group513 → Domain Users group 🔹 Special Group “Everyone” group → universal access SID 👉 Key Insight: RID tells you exactly what type of account it is 7. How SIDs Are Used in Security🔹 Access Control File permissions are assigned to SIDsNot usernames 🔹 Authentication Flow Login → SID loaded → permissions applied 8. Forensic Importance of SIDs🔹 What investigators can learn Which user performed an actionWhether an account was deleted or renamedPrivilege escalation attempts 🔹 Why it matters Even if usernames change, SID stays the sameEnables long-term tracking of user behavior Key Takeaways SIDs are permanent unique identifiers in WindowsThey are used instead of usernames for security decisionsStored inside access tokens during loginStructured into authority, sub-authority, and RIDEssential for forensic tracking and access control Big PictureSIDs help you:👉 Move from “who is the user?” → “what identity is truly behind the action?”Mental Model Username → Human labelSID → System truth You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy Rss Apple Podcaster →
