csaba barta ntdsforensics

7/27/2019 Csaba Barta Ntdsforensics

http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 1/18

NTDS.DIT forensic analysis

Csaba Barta

[email protected]@deloittece.com



Experiences• 2007 - 5 host / incident 200 GB/host (sometimes 1TB)

•2010 - 10 host / incident 150-300 GB/host

• 2011 - 15 host / incident min 300 GB/host



Difficulties – Full HDD

encryption

• More and more common

• Primarily for portable devices (laptops)• Complex, sophisticated solutions

– E.g.: HDD does not operate after removal

Memory snapshot/password requiredMore difficult to extract and analyse data



Difficulties - Virtualisation• Where is the host and the data?

– Outsource / hosting / cloud

• How is the data stored?

– HDD virtualisation solution

• E.g.: unallocated areas are not saved => smaller image

Not sure whether the analysis is possible or not

Depends on the solution/access provided



How can we keep up with this?

• Community

– Help each other

• Conferences, contests, individual researches

–

To fill the gaps in the knowledgebase



NTDS.DITforensics



NTDS.DIT?

• The central data store of Active Directory

• All the objects accessible through AD are

stored in this database

•

Very important data and evidence source incase of a computer forensic investigation



How can it be extracted?• The OS keeps it locked all the time

• The DC cannot be stopped…

– Online solution is needed

–

Basically there are 2 options• 3rd party forensic tools

• Volume Shadow Copy Service (built-in Microsoft

solution)



Structure• NTDS.DIT is a database (ESE – Extensible

Storage Engine) – Microsoft JET Blue database engine (Exchange)

– Pagesize is the only difference (8192 Byte)

• LIBESEDB (Joachim Metz)

– Exports the tables of the database



NTDSXtract• No suitable opensource tool for processing

the data – Only raw data can be extracted (libesedb)

– Logical connections are not documented

• This framework is developed to fill this gap

• Modular approach

– Easy to extend (plugins)

– Easy to understand

• Programming language: Python



Modules - dstimeline• Extracts timeline information

– Builds timeline from time information stored inthe database

• Object creation/modification/deletion

• User login

• etc…

– Support for Mactime body format



Timeformats• 4 different timeformats are used

– DB Time (file header) – Log time (file header)

– FileTime (e.g.: last login timestamp)

– „Truncated” FileTime (pl.: time of record creation)

• FileTime – (100 nanoseconds since01/01/1601)

• „Truncated” FileTime – (seconds since01/01/1601)



Modules – dsdeletedobjects• Extracts deleted objects

– Objects are not immediately deleted (tombstone)

• Garbage collection on a timely basis (default is 12

hours)

– Only predefined attributes are kept (list can be configured)

• Other attributes can also be extracted before the

tombstone time

– Carving technique



Modules - dsusers• Extracts information regarding user objects

– Time of account creation/modification

– Time of last login• synchronisation

– Password hash, history dump (based on creddump)•

Time of last password change – Certificates

– Membership infromation

– Supplemental credentials•

Kerberos keys• WDigest

• Cleartext password



Modules - dsgroups• Extracts information regarding group objects

– Time of group creation/modification

– List of members

• Link_table

• Time of membership deletion

• Primary group?

(http://support.microsoft.com/kb/275523)



DEMO



?



Thank you for the attention!

[email protected]

[email protected]

csaba barta ntdsforensics

Documents