Hi,
An NTFS external hard drive in an enclosure is imaged by someone and the image just off of the root shows 7 Recycle bins. All different SID numbers except,
Each of the SID's are different except for the last 4
5 of the SID's have 1000
1 of the SID's has 1001
1 of the SID's has 1002
Any ideas why?
Could it mean that it was hooked up to lots of other computers and entire systems were copied over along with the recycler?
Thanks you guys
I am assuming you are referring to the last 4 numbers of the SID. These are the relative ids. Anything 1000 or greater are different Groups or users.
It means this hard drive was connected to at least 5 different computers.
Everything before the RID (the last four digits) is the Machine ID. This GUID is unique to the machine. For example, my Machine ID is S-1-5-21-3961969806-1302570353-1021672840-
If that external drive was attached to my system, that number may appear.
The second part, the last four digits, is the RID. This is just a number assigned to the user. 1000 is the first user, 1001, the second, etc. 500 and 501 are assigned to Administrator and Guest, respectively.
To get more information, you'd have to find the computers these Machine ID's belong to, and find which user each RID was assigned to.
It means this hard drive was connected to at least 5 different computers.
Everything before the RID (the last four digits) is the Machine ID. This GUID is unique to the machine. For example, my Machine ID is S-1-5-21-3961969806-1302570353-1021672840-
If that external drive was attached to my system, that number may appear.
The second part, the last four digits, is the RID. This is just a number assigned to the user. 1000 is the first user, 1001, the second, etc. 500 and 501 are assigned to Administrator and Guest, respectively.
To get more information, you'd have to find the computers these Machine ID's belong to, and find which user each RID was assigned to.
It could also mean that the computer was used in a domain as each time the domain is entered a new SID is calculated. I am not sure if the OP means the first part of the SIDs are the same or not.
It could also mean that the computer was used in a domain as each time the domain is entered a new SID is calculated.
Fair point.
I am not sure if the OP means the first part of the SIDs are the same or not.
Well, if the SID was the same, you wouldn't have duplicate RIDs. For instance, if the SID was the same, you wouldn't have 5 1000 RIDs.
Should be tested but it looks like the drive has been plugged in to multiple accounts on probably multiple computers and files deleted each time.
Should be an easy test to replicate
In my experience I have mostly seen this is on a machine that is on an AD domain.
The accounts were not created on the that target machine, simply logged in - local or remote.
So you could have the same external drive attached to a single machine, but different user accounts on the domain.
HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\ should hold the cached logon for the domain.
Look under HKLM\SYSTEM\CurrentControlSet\Services\ Netlogon\Parameters will show a dynamic domain. If HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ SiteName is present, it is hardcoded.
This of course does not exclude the actual moving of the external drive to different machines.
In my experience I have mostly seen this is on a machine that is on an AD domain.
The accounts were not created on the that target machine, simply logged in - local or remote.So you could have the same external drive attached to a single machine, but different user accounts on the domain.
If all these user accounts were part of a the same domain, wouldn't the SID be the same, and the rids all be unique (no duplicates)?
Plus, don't domain RIDs start higher than 1000? (Mine is 1600ish on my work machine)
Forgive my ignorance, as I have only dealt with stand alone computers in terms of forensics.
Thank you for the replies all you guys.
The only item which is available, is this external hard drive. No machine which it may or may not have been hooked up to is available for any type of imaging or scanning.
Also 2 of the SID's are the same, except for LF (last 4) which show up as 1000 and 1002. Every other SID is different and has 1000 for the LF.
quote="jhup"]In my experience I have mostly seen this is on a machine that is on an AD domain.
The accounts were not created on the that target machine, simply logged in - local or remote.
So you could have the same external drive attached to a single machine, but different user accounts on the domain.
HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\ should hold the cached logon for the domain.
Look under HKLM\SYSTEM\CurrentControlSet\Services\ Netlogon\Parameters will show a dynamic domain. If HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ SiteName is present, it is hardcoded.
This of course does not exclude the actual moving of the external drive to different machines.
This reference description by Microsoft maybe of value -
http//
My experience was in federated AD structure, so it is possible, that the cause of the different SID is the originating domain.
In my experience I have mostly seen this is on a machine that is on an AD domain.
The accounts were not created on the that target machine, simply logged in - local or remote.So you could have the same external drive attached to a single machine, but different user accounts on the domain.
If all these user accounts were part of a the same domain, wouldn't the SID be the same, and the rids all be unique (no duplicates)?
Plus, don't domain RIDs start higher than 1000? (Mine is 1600ish on my work machine)
Forgive my ignorance, as I have only dealt with stand alone computers in terms of forensics.