Structure of $Secure File
The table below describes the MFT record structure of the file named $Secure.
$Secure file MFT record structure
| Attribute Type | Name | Description |
|---|---|---|
| $STANDARD_INFORMATION | ||
| $FILE_NAME | $Secure | |
| $DATA | $SDS | Security Descriptor Stream. Named data stream that contains a list of all the Security Descriptors on the volume. |
| $INDEX_ROOT | $SDH | Security Descriptor Hash index root |
| $INDEX_ROOT | $SII | Security ID index root |
| $INDEX_ALLOCATION | $SDH | Security Descriptor Hash index storage allocation table |
| $INDEX_ALLOCATION | $SII | Security ID Index storage allocation table |
| $BITMAP | $SDH | Security Descriptor Hash index bitmap |
| $BITMAP | $SII | Security ID Index bitmap |
The figure below shows the $SDS and two indexes that provide access to the data stream: $SDH (Security Descriptor Hash) and $SII (Security ID Index).
$SDS Data Stream
The picture illustrates that each entry in the file is accompanied by two indexes:
- a Security Descriptor Hash for indexing purposes
- a Security ID, related to the MFT file record; this ID is unique for the NTFS volume and is used as a reference to the $SII index
The $SII index is sorted in ascending order by Security ID and maps each Security ID to the security descriptor's storage location in the $SDS data attribute.