Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question about security identifiers


  • Please log in to reply
23 replies to this topic

#16 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 11 August 2018 - 02:59 PM

The string representation of an SID looks like this: S-1-5-21-3623811015-3361044348-30300820-1013

I've taken this example from the Wikipedia page on SIDs, because it's a good and short intro on SIDs: https://en.wikipedia.org/wiki/Security_Identifier

 

Now I will ask a couple of questions about the SID that is the owner of the contraband files, which is the same SID that is the owner of files that have been identified by the suspect as belonging to him, i.e. that it is the SID of the user account used by the suspect.

 

Does this SID looks like the example above, i.e. start with S-1-5-21- followed by three groups with many digits, and then a last group with fewer digits?

Or is it much shorter, like this example: S-1-5-18?

 

If it resembles the Wikipedia example, is the last group of digits smaller than 1000 or not?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


BC AdBot (Login to Remove)

 


#17 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:07:06 AM

Posted 11 August 2018 - 03:03 PM

Also, my examiner thinks in rows of numbers, and I'm all about graphic displays. I could only understand this case when I mapped all the top level folders by SID, with corresponding subfolders by SID, on a white board and color-coded it. 

 

I will say that color-coding is an incredibly powerful tool when trying to graphically represent linkages that would be nightmarish to draw in "line and arrow" format because of their complexity.

 

It's really nice to be able to say something like, "All items shown in blue have a direct connection to each other.  The same is true for red, green, etc.  Because something can be directly connected to something else, but via a different route, a single item might have several colors associated with it."   Then quickly trace back the primary connection and show another, even if unrelated, to reinforce the concept.

 

Given that file system hierarchy is pretty much a parent-child relationship it tends to be relatively easy to draw with connecting lines, too.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#18 FF0000Queen

FF0000Queen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 11 August 2018 - 03:22 PM

britechguy, you're 100% right about the color-coding. My office pretty much always looks like an episode of Scandal, and when I demonstrated my Beautiful Mind color-coded sticky note/point-arrows board, my colleagues all sorta nodded in agreement at my explanation. I think at least one or two actually understood what I was trying to explain.



#19 FF0000Queen

FF0000Queen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 11 August 2018 - 03:29 PM

Didier, 

 

The target SID is similar to the one above, S-1-5-21-3623811015-3361044348-30300820-1000 (except it ends in 1000). There are at least three other SIDs attributable to the target (folders containing resume, photos, etc). What's also interesting is that when I mapped the SIDs out, I discovered the bad SID was also the owner of subfolders under a parent folder with a different SID. 

 

What's also interesting is that one backup associated with the contraband SID is actually an Apple computer. My theory about that is that he couldn't connect the hard drive directly to an Apple product, so he used his personal laptop to backup the Apple computer and then moved that file to the external hard drive. Otherwise, how does that SID get associated with the backup of an Apple product? 



#20 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 11 August 2018 - 04:22 PM

For the SID associated with a user account, that last number (1000) is the RID (Relative ID). Everything before it is the SID of the computer or the domain.

 

So SID(account) = SID(computer/domain) + RID.

 

If an RID is smaller than 1000, then you know it is associated with a default security principal, like the default administrative account (500). Non-default accounts have a RID of 1000 or larger. Typically RIDs are assigned sequentially: 1000, 1001, 1002, ...

 

With this method, Microsoft tries to guarantee that SIDs are unique.

The SID for a computer or a domain (like S-1-5-21-3623811015-3361044348-30300820) is generated with an algorithm designed so that it's virtually impossible that the same SID would be generated by 2 different computers.

By appending an RID that is generated sequentially and never reused, SIDs for other security principals (SID(computer/domain) + RID) are also unique.

 

There can be cases where the SIDs are not unique, e.g. duplicated.

One case is where disk imaging is used to install several computers that are not domain members: first on one computer, Windows is installed. Then the disk of this computer is cloned onto the disks of other computers as a method to rapidly deploy Windows on a bunch of computers. If no actions are taken to change the SID of the clone (with utilities like sysprep, newsid, ...), then all clones will have the same computer SID, and thus will have user accounts with the same SID.

 

Since the SID ends with 1000, it's the first non-default SID created, and I think is unlikely that this is a domain account, and more likely to be a local account. Unless it's a domain with very few users.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#21 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:07:06 AM

Posted 11 August 2018 - 06:43 PM

F0000Queen,

 

        Might I ask, directly, what your professional role is in this situation?

 

        I am finding this entire thread fascinating, but I will openly admit that I want to know whether the person I'm conversing with is working on behalf of the prosecution or the defense in this matter.  That will have a direct impact on my willingness to participate further.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#22 FF0000Queen

FF0000Queen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 11 August 2018 - 06:47 PM

I am on the prosecution side. 



#23 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:07:06 AM

Posted 11 August 2018 - 07:43 PM

Thanks for responding, and directly.  To be perfectly honest that's what I was hoping, as I've made clear that I'm inclined to think that "the person" actually owns those folders and knew about them, but that there is a tiny bit of room for doubt.

 

I really wouldn't want to assist in any way in making that wiggle room larger.  The defense is supposed to be doing that, anyway, as this conversation wouldn't be occurring at all with a guilty plea.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#24 FF0000Queen

FF0000Queen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 11 August 2018 - 07:48 PM

Yep, I never can be sure what will actually go to trial, but I'm thinking this one will - which is the reason I am making sure I am prepared and fully understand the holes in my own case. I want to be able to cross examine like I know what I'm talking about. That said, one of the challenges of this job is being so convinced in the strength of your case - data doesn't lie, right? - that it's hard to see the other side. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users