Welcome back to Windows registry forensics, course 4, the SAM hive file. Section 2, we're going to talk about SAM security identifiers, otherwise known as SIDs. The security identifiers are broken down into three parts. The first part we have are issuing authority, then we have our machine or domain identifier, and then our last part is our RID, which is our relative identifier, which identifies the individual user. Breaking down the SID and what each group of numbers means. All SIDs will always start with an S. Security identifiers always start with the letter S. Next, we have a version number; in this case, it's a one. After that, we see a five, and this is our designating authority. It equals security NT authority SID. Now, the 21 is what we call our sub-designating authority. In this case, it is 21, and that is NT-nonspecific. We're going to have to have a RID at the end of that to be able to identify that security identifier across multiple systems. After that, we have three sets of numbers, and these are the domain or machine identifier. That's how you're able to tell what domain or machine that particular SID was created on. Then we have our last group of numbers, which as we talked about are relative identifiers, or a RID, which identifies a specific user on the system or on the network. We broke that down. We have the issuing and sub issuing authorities. Again, we have our S, we have our one, our five, and our 21. Remember, if we see the 21, we know that we're going to have to have a trailing RID. So just keep that in mind. Next slide. Here we can see a graphical representation of what we discussed. We have the security identifier, the revision number, the issuing authority, and the sub issuing authority. You will see different numbers here from time to time, but most likely you'll see these numbers quite often. Next slide. Now we have the machine or domain identifier. One of the important things you need to remember when you're looking at a system is you could have SIDs in the recycle bin area that don't have the same machine or domain identifier. Then you're going to need to figure out what is the machine or domain identifier from the machine you're looking at for the particular system you're investigating, you're working on. We're going to talk about how you do that in a second. Then we have our trailing RID, which identifies the specific individual user. We've looked at the SAM file and we saw that we had that hierarchical structure. We have folders and sub-folders. One of the sub-folders we're going to talk about now is the account sub-folder. If we look at the account sub-folder, you're going to see you have two values there in the right-hand pane. This is done in registry explorer. We're going to look at the V value to decode our machine domain identifier. When you take a look at the V value, the last 12 bytes of the V value are the machine identifier for the particular system you are working on right now. Now, that just looks like 12 bytes of hex, and what am I supposed to do with that? What you would do with that is we would write down these 12 bytes. Now we have to divide them into three groups of four. We would go ahead and do that. Once we did that, each individual group we would convert to little-endian, so you would write it in reverse order. Then you would convert those 32-bit values. Remember, this is a D-word. When you're converting it, make sure you're using the right converter to do it with. You want to convert it as a 32-bit value D-word and you would get your numbers, your decimal representations of the hex, and that would give you the machine identifier. Is a 32-bit D-word unsigned integer? You cannot have a negative number here. Just really briefly about integers, signed and unsigned, if you have something called a signed integer, it is possible to have a negative number. It doesn't mean it is a negative number, it means it's possible to have a negative number. You are never going to see a negative number in a machine identifier. If you're coming up with a negative value, something is not right. You would want to recheck that. We're going to get to see where this is going to be really important when you're investigating machines, especially in a corporate environment. You're going to have accounts that were created on domains, that were created on other local machines, and the user is using a remote desktop or logging into the system through the domain or some other way. You may have three or four different machine IDs. One of the first things you need to know is which user accounts were created on the local machine and which user accounts were not. They were created somewhere else other than the local machine. Being able to do that is following this process we just talked about to identify the machine identifier, to be able to decode that machine identifier and know, okay, this is the machine identifier for the particular system I'm on. This is just another representation because I know that was a lot to take in on decoding that 12 bytes. But again, you would write it down and remember, we're going to have to break it into three groups, convert it to little-endian, and then convert hex to decimal. It is the SAM account. You need to be on the account sub-key. You need to be looking at the V value, and it will be the last 12 bytes. In our next section, we're going to go ahead and take a look at the RID, the relative identifier, and how that relates to our individual user accounts.
