Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question about security identifiers


  • Please log in to reply
26 replies to this topic

#1 FF0000Queen

FF0000Queen

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 10 August 2018 - 09:12 PM

Hi all,

 

I have some questions about security identifiers and whether they can be manipulated (and how easily?) when copying files/folders from a computer to an external hard drive. And also, how would anyone even do that? Would the copying mechanism affect the outcome of how the SID carries over to the hard drive (i.e., the Windows default versus robocopy or a similar program)?

 

Thanks all. 



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:17 PM

Posted 11 August 2018 - 05:24 AM

When you talk about SIDs in the context of files, you are probably referring to security descriptors. https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-_security_descriptor

 

A security descriptor contains several SIDs: there's the owner SID, the group SID, and every ACE in the DACL and SACL has a SID too.

 

To change a security descriptor (for example change an SID in the security descriptor), you need the right to change the security descriptor, and that is encoded in the DACL (Discretionary Access Control List).

If you don't have the necessary rights, you could add the necessary right to the DACL provided that 1) you are the owner or 2) you can take ownership (if you are admin or system for example).

 

Security Descriptors are also copied when a file is copied, provided that the destination disk supports security descriptors. That is the case with the NTFS file system, but if you copy files to a USB stick for example, then it's likely that another file system than NTFS is being used, and then security descriptors are not supported and will thus not be copied.

 

Oh yeah, I forgot to add this: in case you would not be aware, making a copy of a file already changes the security descriptor. For example, on a Windows 10 machine file C:\Windows\notepad.exe is owned by TrustedInstaller (you can see that in the security descriptor). If you copy that file, for example to your desktop, then your user account will become the owner of copied file notepad.exe. The original owner SID in the security descriptor is changed to your SID.


Edited by Didier Stevens, 11 August 2018 - 05:54 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 FF0000Queen

FF0000Queen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 11 August 2018 - 10:53 AM

Thanks for that explanation.

 

I'm wondering what your thoughts are on this scenario: an external hard drive is discovered with about 40 folders, one of which contains contraband material. The SID that owns that folder is also associated with 5 other folders on the hard drive (that same SID owned 4 other folders and had access to a 5th folder owned by another SID). All of the material on the hard drive is attributable to the owner of the hard drive, but he denies knowledge about the folder containing the contraband. We do not have any of the devices that the hard drive was connected to, so I'm only able to use the SIDs to attribute the contraband folder to him. It seems obvious to me that if the SID associated with the contraband material is also associated with folders directly attributable to one person (which he doesn't deny), then he must own the contraband?



#4 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:04:17 PM

Posted 11 August 2018 - 11:39 AM

It seems obvious to me that if the SID associated with the contraband material is also associated with folders directly attributable to one person (which he doesn't deny), then he must own the contraband?

 

While that makes some logical sense, it only stands up if you are absolutely certain that no one else had physical access to the device(s) that could have created material while a user was logged in without their knowledge.

 

In workplaces it is not at all unusual to leave one's machine unlocked, briefly, to go consult with a coworker or use the bathroom.  When the thought is, "I'll be right back," workstations are often wide open and accessible, particularly in cubicle farm settings.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#5 FF0000Queen

FF0000Queen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 11 August 2018 - 11:43 AM

I definitely agree with that. In my scenario, he was using the hard drive on a client computer and then forgot it when he left for the day. He did not leave his laptop there, just the hard drive. How would it be possible to place a folder on the drive with a SID related to a laptop associated with the target? 



#6 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:04:17 PM

Posted 11 August 2018 - 12:02 PM

It probably wouldn't, at least via "normal means."   But I will let Didier and others with a lot more system internals expertise speak to this in detail.

 

It is definitely possible, though not probable, that with the correct knowledge and permissions one could effectively change ownership on something using data not even related to the machine it's being done on.  It doesn't strike me that this would even be a particularly sophisticated thing to do for someone who really wanted to do it and was of the "hacker" mindset.  But, again, someone with more expertise than myself will have to tell me if I'm an idiot for believing this is even possible.  I'm definitely in the "a little knowledge is a dangerous thing" territory here when it comes to the nuts and bolts and would be happy to get the straight dope, so to speak.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#7 FF0000Queen

FF0000Queen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 11 August 2018 - 01:07 PM

Well I definitely appreciate the feedback, even if it's just kicking ideas around. I'm having a tough time running this by people I work with because it's more technical than what we normally deal with. Usually, we get a computer or phone that has the contraband on it, so attribution isn't really an issue once I can establish exclusive use of the device. The scenario here is unusual. 

 

So I'm curious, given what you know about this situation, if you were on a jury, do you think you would have reasonable doubt? The target in this case is admitting *everything* else on the hard drive is his (including other folders that match the SID on the contraband folder, which I can establish is tied to his personal laptop where he also did business-related stuff), but is saying that this contraband folder is not his. 


Edited by FF0000Queen, 11 August 2018 - 01:16 PM.


#8 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:04:17 PM

Posted 11 August 2018 - 01:44 PM

For myself, given the information presented so far, I would presume the individual did own the contraband but that there exists enough plausible deniability if he did not have exclusive access to the device that I couldn't "convict."

 

Also, and I'm not asking you to reveal more, the nature of the contraband would be important to me, too.   There are a lot of "corporate rules" that, while justified as far as policy goes, often have punishments grossly out of proportion to the offense because "the offense" is just too broad.   As a hypothetical example, having a collection of contraband porn is not, in my opinion, a firing offense unless it were child porn, which should be reported to the authorities in addition to being a firing offense.  Having a collection of corporate espionage correspondence, indicating the presumed owner was involved, is a firing offense unless they can prove awfully conclusively that it is not theirs.  There's contraband and then there's contraband.

 

There's a reason that forensic computer examination is an art of its own.   It can be very difficult to conclusively prove anything when dealing with computers where multiple people have access and many among them possess the technical skills to do some "interesting" things for whatever reason. 


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#9 FF0000Queen

FF0000Queen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 11 August 2018 - 01:54 PM

It's definitely an interesting case, and to clarify, it is actually a criminal case for possession of child pornography. 

 

I get what you're saying about plausible deniability - there's more evidence, too, but the SID stuff is pretty central to attribution. 



#10 FF0000Queen

FF0000Queen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 11 August 2018 - 01:56 PM

I'm trying to understand how it all works and how best to explain it to non-technical people. Thanks for your thoughts. 



#11 FF0000Queen

FF0000Queen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 11 August 2018 - 02:02 PM

And, FWIW, everything shared above is already a matter of public record, so there's nothing confidential. I'm mostly relying on the kindness of strangers to help me out here, so again, thanks for taking the time to read and respond. 



#12 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:04:17 PM

Posted 11 August 2018 - 02:03 PM

I'm trying to understand how it all works and how best to explain it to non-technical people. Thanks for your thoughts. 

 

Who is actually doing the forensic examination?   They should be able to help you (or if you're the forensic examiner, definitely reach out within your own professional network).

 

I know only too well, but in completely different contexts, the difficulty of reifying arcane information for broader consumption.  What's worse, even when you're dealing with a non-technical audience, it can really depend a lot on the backgrounds of those who make up that audience and what one or several people "get" one or several other people may not.

 

I wish you luck in getting the clarity you seek and that is absolutely necessary in situations such as this one.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#13 FF0000Queen

FF0000Queen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 11 August 2018 - 02:08 PM

I have a great forensic examiner. Super smart, and maybe way to smart to break it down. If you don't mind my asking, would you think it's fair to say an SID is like a unique key? Is there a better metaphor?

Also, my examiner thinks in rows of numbers, and I'm all about graphic displays. I could only understand this case when I mapped all the top level folders by SID, with corresponding subfolders by SID, on a white board and color-coded it. 


Edited by FF0000Queen, 11 August 2018 - 02:11 PM.


#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:17 PM

Posted 11 August 2018 - 02:26 PM

I understand that you only have access to the external harddisk, not the laptop.

 

Is this the SID of an active directory user account or a local user account?

If it is a local account, do you know what version of Windows runs on the laptop?

 

It depends on the type of SID if it is unique or not. And other factors can play a role too.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 FF0000Queen

FF0000Queen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 11 August 2018 - 02:32 PM

Oooof, those are good questions. From my review it looks like there are about 4-5 SIDs copied to the hard drive that I can directly tie back to the target (lots of personal stuff). In total, I think it's about 20 SIDs on the drive (including in the subfolders). Most of the SIDs tied to the target are local user accounts, but there is one that I think was from a networked device. 

 

I have no idea what version of Windows was running on the laptop at the time. It all happened in 2013, about 4 years before I got involved. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users