Structure of $Secure File
The table below describes the MFT record structure of the file named $Secure.
$Secure file MFT record structure
|$DATA||$SDS||Security Descriptor Stream. Named data stream that contains a list of all the Security Descriptors on the volume.|
|$INDEX_ROOT||$SDH||Security Descriptor Hash index root|
|$INDEX_ROOT||$SII||Security ID index root|
|$INDEX_ALLOCATION||$SDH||Security Descriptor Hash index storage allocation table|
|$INDEX_ALLOCATION||$SII||Security ID Index storage allocation table|
|$BITMAP||$SDH||Security Descriptor Hash index bitmap|
|$BITMAP||$SII||Security ID Index bitmap|
The figure below shows the $SDS and two indexes that provide access to the data stream: $SDH (Security Descriptor Hash) and $SII (Security ID Index).
$SDS Data Stream
The picture illustrates that each entry in the file is accompanied by two indexes:
- a Security Descriptor Hash for indexing purposes
- a Security ID, related to the MFT file record; this ID is unique for the NTFS volume and is used as a reference to the $SII index
The $SII index is sorted in ascending order by Security ID and maps each Security ID to the security descriptor's storage location in the $SDS data attribute.