csaba barta ntdsforensics
TRANSCRIPT
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 1/18
NTDS.DIT forensic analysis
Csaba Barta
[email protected]@deloittece.com
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 2/18
Experiences• 2007 - 5 host / incident 200 GB/host (sometimes 1TB)
•2010 - 10 host / incident 150-300 GB/host
• 2011 - 15 host / incident min 300 GB/host
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 3/18
Difficulties – Full HDD
encryption
• More and more common
• Primarily for portable devices (laptops)• Complex, sophisticated solutions
– E.g.: HDD does not operate after removal
Memory snapshot/password requiredMore difficult to extract and analyse data
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 4/18
Difficulties - Virtualisation• Where is the host and the data?
– Outsource / hosting / cloud
• How is the data stored?
– HDD virtualisation solution
• E.g.: unallocated areas are not saved => smaller image
Not sure whether the analysis is possible or not
Depends on the solution/access provided
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 5/18
How can we keep up with this?
• Community
– Help each other
• Conferences, contests, individual researches
–
To fill the gaps in the knowledgebase
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 6/18
NTDS.DITforensics
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 7/18
NTDS.DIT?
• The central data store of Active Directory
• All the objects accessible through AD are
stored in this database
•
Very important data and evidence source incase of a computer forensic investigation
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 8/18
How can it be extracted?• The OS keeps it locked all the time
• The DC cannot be stopped…
– Online solution is needed
–
Basically there are 2 options• 3rd party forensic tools
• Volume Shadow Copy Service (built-in Microsoft
solution)
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 9/18
Structure• NTDS.DIT is a database (ESE – Extensible
Storage Engine) – Microsoft JET Blue database engine (Exchange)
– Pagesize is the only difference (8192 Byte)
• LIBESEDB (Joachim Metz)
– Exports the tables of the database
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 10/18
NTDSXtract• No suitable opensource tool for processing
the data – Only raw data can be extracted (libesedb)
– Logical connections are not documented
• This framework is developed to fill this gap
• Modular approach
– Easy to extend (plugins)
– Easy to understand
• Programming language: Python
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 11/18
Modules - dstimeline• Extracts timeline information
– Builds timeline from time information stored inthe database
• Object creation/modification/deletion
• User login
• etc…
– Support for Mactime body format
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 12/18
Timeformats• 4 different timeformats are used
– DB Time (file header) – Log time (file header)
– FileTime (e.g.: last login timestamp)
– „Truncated” FileTime (pl.: time of record creation)
• FileTime – (100 nanoseconds since01/01/1601)
• „Truncated” FileTime – (seconds since01/01/1601)
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 13/18
Modules – dsdeletedobjects• Extracts deleted objects
– Objects are not immediately deleted (tombstone)
• Garbage collection on a timely basis (default is 12
hours)
– Only predefined attributes are kept (list can be configured)
• Other attributes can also be extracted before the
tombstone time
– Carving technique
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 14/18
Modules - dsusers• Extracts information regarding user objects
– Time of account creation/modification
– Time of last login• synchronisation
– Password hash, history dump (based on creddump)•
Time of last password change – Certificates
– Membership infromation
– Supplemental credentials•
Kerberos keys• WDigest
• Cleartext password
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 15/18
Modules - dsgroups• Extracts information regarding group objects
– Time of group creation/modification
– List of members
• Link_table
• Time of membership deletion
• Primary group?
(http://support.microsoft.com/kb/275523)
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 16/18
DEMO
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 17/18
?
7/27/2019 Csaba Barta Ntdsforensics
http://slidepdf.com/reader/full/csaba-barta-ntdsforensics 18/18
Thank you for the attention!