Feature Requests item #2895607, was opened at 2009-11-10 19:25
Message generated for change (Tracker Item Submitted) made by jamiebutler
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2895607&group_id=55685Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System
Group: None
Status: Open
Priority: 5
Private: No
Submitted By: James Butler (jamiebutler)
Assigned to: Nobody/Anonymous (nobody)
Summary: Identify in NTFS the SID of the owner of a file
Initial Comment:
The owner SID of files needs to be identified per file.
Every file has an associated security identifier which identifies the owner, groups, etc. of the file. More than one file may have the same security identifier if the files share the exact same security descriptor. Using the security identifier of the file (secid), we can lookup its security descriptor within $Secure. Security descriptors are variable length and contained in the $SDS stream within $Secure. The $SII stream of $Secure is an index into the $SDS stream. $SII entries are stored incrementally by the secid. Once we find the secid of the file inside the $SII stream, the $SII entry will tell the offset within the $SDS stream to read the security descriptor.
Use the tsk_fs_file_read_owner_sid function within fs_file.c to get the string representation of the owner SID of a file on NTFS. When an NTFS filesystem is opened ntfs_open is called. ntfs_open initializes a pointer to ntfs_lookup_security_id and then calls ntfs_load_secure. ntfs_load_secure opens MFT entry 9, $Secure, and reads in the $SDS and $SII streams. When tsk_fs_file_read_owner_sid is called on a TSK_FS_FILE, the owner SID is returned in its string form.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=477892&aid=2895607&group_id=55685------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.
http://p.sf.net/sfu/bobj-july_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@...
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
