Home » Updates » Microsoft Active Directory Forensics

Microsoft Active Directory Forensics

Published By Ashwani Tiwari
Aswin Vijayan
Approved By Aswin Vijayan
Published On April 14th, 2022
Reading Time 5 Minutes Reading
Category Updates

Microsoft Active Directory is an innovative, extensible and hierarchical amenity that enables working with interconnected and intricate network resources. Active directory is almost organized as an Internet’s Domain Naming System with a domain-based grid. Microsoft introduced an active directory with Windows 2000 Server and it offers the latest features in Windows Server 2008.

Active Directory Partition is a place where the AD information is segregated and logically saved. There are three types of directory partitions such as configuration,  schema and domain in which schema or configuration partitions are created inevitably at the time of installation.

Location and File Name of Microsoft Active Directory

Stores the data of the Microsoft Active Directory in the NTDS.DIT ESE (Extensible Storage Engine) database file. On the domain server the two copies of NTDS.DIT files are existing in two altered locations:

%SystemRoot%\NTDS\Ntds.dit: This file saves the record of the domain controller. It also holds the value and replica of data used in the domain controller.

%SystemRoot%\System32\Ntds.dit: When the user stimulates a Windows Server 2008 computer on the domain controller. Then this file is used as a dispersal replica of the default directory.


What is NTDS.DIT Analysis?

NTDS.DIT is an acronym for NT Directory Services and DIT stands for Directory Information Tree. NTDS.DIT file is used to store all the databases of active directory such as user name, IP address, computers, and resources that are part of a network. This Active Directory forensics database file is commonly situated in the %Winder%\NTDS\ folder and in the same folder other database recovery files like Edb.log, Edbxxxxx.log, Edb.chk has also existed for spare conditions. NTDS.DIT is a database (ESE- Extensible Storage Engine) file that stores crucial evidence that can be used in forensic investigation.


Forensic Analysis of NTDS.DIT File



The data storage physical structure of NTDS.DIT File consists of three significant tables; Data table, Link table, SD table and its allied log and temporary files.

Data Table: – All the evidence of the user database that is used to analyse log Active Directory is available in the data table. The structure of a data table can be in the form of rows and columns; in which each row expresses an example of an entity and the columns show an attribute in the schema.

Link Table: – Link table is used to signify a linked attribute, that contains values and denotes other substances available in the  Microsoft Active Directory analysis. The link table is announced with Windows Server 2003 and the size of it is much smaller compared to the data table.

SD Table: – The SD table is used to accumulate the safety descriptors for every available entity. SD table is launched with Windows Server 2003 and its later versions. Under the provisions of this updated release, the safety descriptors are now available within a primarily defined SD table instead of getting individually postulated. These entities defined inside the SD table remain intact linked to their respective objects.

EDB.log: – EDB.log files reserve the active directory transactions before it submits to NTDS.DIT database file and the size of this file is 10 MB.

EDB.chk: – This is a checkpoint file that retains the track of transactions to analyse the log of Active Directory.

EDB0000X.log: – These are the additional transaction log files that are used when the space in the prevailing log file is filled and the size of each file is also10 MB.

How to perform Forensic on user entities to analyse NTDS.DIT File?

During an NTDS.DIT analysis, it is very important for Forensicators to carve out crucial evidence from user accounts. The below information describes which type of evidence it can extract from the user account.

Time of last account login

The date and time information of the user account is stored in the ATTq589876 field. The last activity performed by a user on a domain controller is saved in NTDS. NIT database file. To catch the last login time,  the investigator needs to check all the DCs values because the last login time can be different on another DC (Domain Component).

UserAccountControl Field

UserAccountControl field provisions multiple flags that investigators can use to attain the information about a user account at the time of examination.

Password hashes encryption/decryption

The NTDS.DIT files store the password hashes (LM and NT) of the user entity in an encrypted format. To analyse and decrypt the password hashes of a user account an investigator needs to follow these steps: –

  • Get the value of encoded LM and NT hash.
  • The secondary level forensics requires decoding the Password Encryption Key with the boot key.
  • Then investigator needs to decode the hashes with Password Encryption Key and RC4-layer 2.
  • The last step requires hash decryption DES – layer 3.

During the Microsoft Active Directory Forensics Analysis, Can we Recover the Deleted Entities of the User account?

The process to select suspect entities as deleted is called tombstoned. When the suspect deletes their account entities from NTDS.DIT file, then it is not deleted permanently from the database. It will first enthuse to a Deleted object folder. At the time of NTDS.DIT analysis, if an investigator catches the object that is marked with a 0x02000000 flag, it means it still exists. Because the computer automatically re-titled it as, on controller domains the default period of the tombstone is 60 days.