Course 36 - Windows Forensics and Tools | Episode 5: Structure and Forensic Significance

In this lesson, you’ll learn about: Windows Security Identifiers (SIDs) and user tracking1. What is a Security Identifier (SID)?A SID (Security Identifier) is a unique value assigned to every:UserGroupSecurity principal (system accounts, services)🔹 Core IdeaIt acts like a permanent digital fingerprint in WindowsUsed internally instead of usernames👉 Key Property:A SID is never reused, even if the account is deleted2. Why SIDs ExistWindows needs a stable way to identify identitiesUsernames can changeSIDs cannot🔹 Example UsePermissions are assigned to SIDs, not namesAccess control checks rely on SID matching3. SID in Access Tokens🔹 What happens at login?Windows creates an access tokenThis token contains:User SIDGroup SIDsPrivileges👉 Key Insight:Every process inherits this tokenThis determines what the user can do4. Structure of a SIDA SID is not random—it has a strict format:🔹 Main ComponentsIdentifier AuthoritySub-authority valuesRelative Identifier (RID)5. SID Breakdown Explained🔹 Identifier AuthorityDefines the system or domain originExample:Local machineDomain controller🔹 Sub-authoritiesRepresent hierarchical security structureProvide organizational uniqueness🔹 Relative Identifier (RID)The most specific partIdentifies the actual account6. Important RID Examples🔹 Common Built-in Accounts500 → Built-in Administrator501 → Guest account512 → Domain Admins group513 → Domain Users group🔹 Special Group“Everyone” group → universal access SID👉 Key Insight:RID tells you exactly what type of account it is7. How SIDs Are Used in Security🔹 Access ControlFile permissions are assigned to SIDsNot usernames🔹 Authentication FlowLogin → SID loaded → permissions applied8. Forensic Importance of SIDs🔹 What investigators can learnWhich user performed an actionWhether an account was deleted or renamedPrivilege escalation attempts🔹 Why it mattersEven if usernames change, SID stays the sameEnables long-term tracking of user behaviorKey TakeawaysSIDs are permanent unique identifiers in WindowsThey are used instead of usernames for security decisionsStored inside access tokens during loginStructured into authority, sub-authority, and RIDEssential for forensic tracking and access controlBig PictureSIDs help you:👉 Move from “who is the user?” → “what identity is truly behind the action?”Mental ModelUsername → Human labelSID → System truthYou can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy