Blog

Microsoft Active Directory Forensics

Olivia Dehaviland | March 14th, 2015 | Updates

Microsoft Active Directory is an innovative, extensible and hierarchical amenity that enables working with interconnected and intricate network resources. Active directory is almost organized as an Internet’s Domain Naming System with domain-based grid. Microsoft introduced an active directory with Windows 2000 Server and the latest features of it is offered in Windows Server 2008.

Active Directory Partition is a place where the AD information is segregated and logically saved. There are three types of directory partitions such as configuration,  schema and domain in which schema or configuration partitions are created inevitably at the time of installation.

Location and File Name of Microsoft Active Directory

The data of Microsoft Active Directory is stored in the NTDS.DIT ESE (Extensible Storage Engine) database file. On domain server the two copies of NTDS.DIT file are existing on two altered locations:

%SystemRoot%\NTDS\Ntds.dit: This file saves the record of domain controller. It also holds the value and replica of data use in domain controller.

%SystemRoot%\System32\Ntds.dit: When user stimulate a Windows Server 2008 based computer on domain controller then this file is used as a dispersal replica of the default directory.

 

What is NTDS.DIT Analysis?

NTDS.DIT is an acronym for NT Directory Services and DIT stands for Directory Information Tree. NTDS.DIT file is used to store all the database of active directory such as user name, IP address, computers, resources which are part of a network. This Active Directory forensics database file is commonly situated in %Winder%\NTDS\ folder and in the same folder other database recovery files like Edb.log, Edbxxxxx.log, Edb.chk has also existed for spare conditions. NTDS.DIT is a database (ESE- Extensible Storage Engine) file stores crucial evidence that can be used in forensic investigation.

 

Forensic Analysis of NTDS.DIT File

 

ntds.nit-analysis

The data storage physical structure of NTDS.DIT File consists three significant table; Data table, Link table, SD table and its allied log and temporary files.

Data Table: – All the evidence of user database that is used to analyse log Active Directory is available in the data table. The structure of data table can be in the form of rows and columns; in which each row expresses an example of entity and columns shows an attribute in the schema.

Link Table: – Link table is used to signify a linked attribute, that contains values and denote other substances available in the  Microsoft Active Directory analysis. The link table is announced with Windows Server 2003 and the size of it is much smaller as compared to the data table.

SD Table: – The SD table is used to accumulate the safety descriptors for every available entity. SD table is launched with Windows Server 2003 and its later versions. Under the provisions of this updated release, the safety descriptors are now available within primarily defined SD table instead of getting individually postulated. These entities defined inside the SD table remain intactly linked to their respective objects.

EDB.log: – EDB.log files reserve the active directory transactions before submitted to NTDS.DIT database file and the size of this file is 10 MB.

EDB.chk: – This a checkpoint file that retains the track of transactions to analyse log of Active Directory.

EDB0000X.log: – These are the additional transaction log files that are used when the space in the prevailing log file are filled and the size of each file is also10 MB.

How to perform Forensic on user entities to analyse NTDS.DIT File?

During a NTDS.DIT analysis, it is very important for Forensicators to carve out crucial evidence from user account. The below information describes that which type of evidence can be extracted from user account.

Time of last account login

The date and time information of user account is stored in ATTq589876 field. The last activity performed by a user on a domain controller is saved in NTDS. NIT database file. To catch the last login time,  the investigator needs to check all the DCs value because the last login time can be different on another DC (Domain Component).

UserAccountControl Field

UserAccountControl field provisions multiple flags that can be used by the investigator to attain the information about a user account at the time of examination.

Password hashes encryption/decryption

The NTDS.DIT file store the password hashes (LM and NT) of the user entity in encrypted format. To analyse and decrypt the password hashes of user account an investigator needs to follow these steps: –

  • Get the value of encoded LM and NT hash.
  • The secondary level forensics require decoding the Password Encryption Key with bootkey.
  • Then investigator needs to decode the hashes with Password Encryption Key and RC4-layer 2.
  • The last step requires hash decryption DES – layer 3.

During the Microsoft Active Directory forensics analysis, can deleted entities of user account be recovered?

The process to select suspect entities as deleted is called tombstoned. When the suspect deletes their account entities from NTDS.DIT file, then it is not deleted permanently from the database. It will first enthuse to a Deleted object folder. At the time of NTDS.DIT analysis, if an investigator catches the object that is marked with 0x02000000 flag, it means its not deleted. Because computer automatically re-titled it as, on controller domains the default period of tombstone is 60 days.