Sign up to save your podcasts
Or
Share Course 36 - Windows Forensics and Tools | Episode 5: Structure and Forensic Significance
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Course 36 - Windows Forensics and Tools | Episode 5: Structure and Forensic Significance
In this lesson, you’ll learn about: Windows Security Identifiers (SIDs) and user tracking1. What is a Security Identifier (SID)?
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- A SID (Security Identifier) is a unique value assigned to every:
- User
- Group
- Security principal (system accounts, services)
- It acts like a permanent digital fingerprint in Windows
- Used internally instead of usernames
- A SID is never reused, even if the account is deleted
- Windows needs a stable way to identify identities
- Usernames can change
- SIDs cannot
- Permissions are assigned to SIDs, not names
- Access control checks rely on SID matching
- Windows creates an access token
- This token contains:
- User SID
- Group SIDs
- Privileges
- Every process inherits this token
- This determines what the user can do
- Identifier Authority
- Sub-authority values
- Relative Identifier (RID)
- Defines the system or domain origin
- Example:
- Local machine
- Domain controller
- Represent hierarchical security structure
- Provide organizational uniqueness
- The most specific part
- Identifies the actual account
- 500 → Built-in Administrator
- 501 → Guest account
- 512 → Domain Admins group
- 513 → Domain Users group
- “Everyone” group → universal access SID
- RID tells you exactly what type of account it is
- File permissions are assigned to SIDs
- Not usernames
- Login → SID loaded → permissions applied
- Which user performed an action
- Whether an account was deleted or renamed
- Privilege escalation attempts
- Even if usernames change, SID stays the same
- Enables long-term tracking of user behavior
- SIDs are permanent unique identifiers in Windows
- They are used instead of usernames for security decisions
- Stored inside access tokens during login
- Structured into authority, sub-authority, and RID
- Essential for forensic tracking and access control
- Username → Human label
- SID → System truth
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
View all episodes
By CyberCode AcademyIn this lesson, you’ll learn about: Windows Security Identifiers (SIDs) and user tracking1. What is a Security Identifier (SID)?
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- A SID (Security Identifier) is a unique value assigned to every:
- User
- Group
- Security principal (system accounts, services)
- It acts like a permanent digital fingerprint in Windows
- Used internally instead of usernames
- A SID is never reused, even if the account is deleted
- Windows needs a stable way to identify identities
- Usernames can change
- SIDs cannot
- Permissions are assigned to SIDs, not names
- Access control checks rely on SID matching
- Windows creates an access token
- This token contains:
- User SID
- Group SIDs
- Privileges
- Every process inherits this token
- This determines what the user can do
- Identifier Authority
- Sub-authority values
- Relative Identifier (RID)
- Defines the system or domain origin
- Example:
- Local machine
- Domain controller
- Represent hierarchical security structure
- Provide organizational uniqueness
- The most specific part
- Identifies the actual account
- 500 → Built-in Administrator
- 501 → Guest account
- 512 → Domain Admins group
- 513 → Domain Users group
- “Everyone” group → universal access SID
- RID tells you exactly what type of account it is
- File permissions are assigned to SIDs
- Not usernames
- Login → SID loaded → permissions applied
- Which user performed an action
- Whether an account was deleted or renamed
- Privilege escalation attempts
- Even if usernames change, SID stays the same
- Enables long-term tracking of user behavior
- SIDs are permanent unique identifiers in Windows
- They are used instead of usernames for security decisions
- Stored inside access tokens during login
- Structured into authority, sub-authority, and RID
- Essential for forensic tracking and access control
- Username → Human label
- SID → System truth
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy