Course 36 - Windows Forensics and Tools | Episode 5: Structure and Forensic Significance

Course 36 - Windows Forensics and Tools | Episode 5: Structure and Forensic Significance

From CyberCode Academy by CyberCode Academy

June 3, 2026 · 21 min

About this episode

This episode covers the significance and structure of Windows Security Identifiers (SIDs) in forensics.

In this lesson, you’ll learn about: Windows Security Identifiers (SIDs) and user tracking1. What is a Security Identifier (SID)? A SID (Security Identifier) is a unique value assigned to every: User Group Security principal (system accounts, services) 🔹 Core Idea It acts like a permanent digital fingerprint in Windows Used internally instead of usernames 👉 Key Property: A SID is never reused, even if the account is deleted 2. Why SIDs Exist Windows needs a stable way to identify identities Usernames can change SIDs cannot 🔹 Example Use Permissions are assigned to SIDs, not names Access control checks rely on SID matching 3. SID in Access Tokens🔹 What happens at login? Windows creates an access token This token contains: User SID Group SIDs Privileges 👉 Key Insight: Every process inherits this token This determines what the user can do 4. Structure of a SIDA SID is not random—it has a strict format:🔹 Main Components Identifier Authority Sub-authority values Relative Identifier (RID) 5. SID Breakdown Explained🔹 Identifier Authority Defines the system or domain origin Example: Local machine Domain controller 🔹 Sub-authorities Represent hierarchical security structure Provide…

Topics covered

  • Windows Forensics
  • Security Identifiers
  • User Tracking
  • Access Control
  • Forensic Tools

Keywords

  • Security Identifier
  • SID
  • Access Token
  • Permissions
  • Relative Identifier

Mentioned in this episode

Organizations: Windows, Windows Security Identifiers, Domain, Local machine, Domain controller

More episodes of CyberCode Academy

Explore listener stats, chart rankings, contacts and more on the CyberCode Academy podcast page.