NTFS Security Descriptors ($Secure)
The $Secure metafile is the centralized repository for all security descriptors on an NTFS volume. Rather than storing a full access control list inside every file's MFT record, NTFS stores a unique Security ID (SID hash) reference in each record and points it to the actual descriptor stored in $Secure. For forensic analysts, this file can reveal who owned files, what permissions were set and how they have changed — information that is critical when investigating privilege abuse or unauthorized file access.
Imagine every locked room in a building uses a key. Instead of making a unique key description for every single door, the building manager keeps one master key cabinet and just assigns each door a number that references a key in the cabinet. NTFS does the same thing. Instead of storing a full list of "who can access this file" inside each file's record, it stores a small number that points to the actual access rules in the $Secure cabinet.
General
The $Secure file (MFT Entry 9) contains two streams: $SDS (Security Descriptor Stream) which holds all raw security descriptor data and $SDH (Security Descriptor Hash index) which provides fast lookup by descriptor hash. Each security descriptor is a structured binary blob containing an Owner SID identifying who owns the file, a DACL (Discretionary Access Control List) defining who has read/write/execute permissions and a SACL (System Access Control List) defining which access attempts generate audit events. Because NTFS deduplicates identical descriptors, a single entry in $Secure may represent the security settings for thousands of files, making it an efficient storage mechanism and an efficient investigation target.
Traces
Parsing $Secure and correlating SID references from the MFT reveals:
- Owner SID: The security identifier of the account that owns the file or directory.
- DACL Entries: Explicit allow or deny access rules applied to each unique security descriptor.
- SACL Entries: Configured auditing rules that determine which access events are logged to the Security event log.
- Security ID (SecID): The 4-byte key linking each MFT file record back to its security descriptor in $Secure.
- and more.
Forensic Use Cases
We examine $Secure to investigate unauthorized permission changes and privilege escalation:
- Ownership Analysis: Identifying files and directories owned by unexpected accounts which may indicate an attacker has taken control of sensitive system resources.
- Permission Backdooring: Detecting DACL entries granting broad access to attacker-controlled accounts on sensitive directories like SAM backup locations or credential stores.
- Auditing Evasion: Identifying SACL configurations that were deliberately removed to prevent access audit events from being generated during an intrusion.
- and more.