NTDS.

DIT forensic analysis

Csaba Barta csaba.barta@gmail.com cbarta@deloittece.com

Experiences
2007 - 5 host / incident 200 GB/host (sometimes 1TB) 2010 - 10 host / incident 150-300 GB/host 2011 - 15 host / incident min 300 GB/host

Difficulties Full HDD encryption

More and more common Primarily for portable devices (laptops) Complex, sophisticated solutions
E.g.: HDD does not operate after removal

Memory snapshot/password required More difficult to extract and analyse data

Difficulties - Virtualisation
Where is the host and the data?
Outsource / hosting / cloud

How is the data stored?

HDD virtualisation solution
E.g.: unallocated areas are not saved => smaller image

Not sure whether the analysis is possible or not Depends on the solution/access provided

How can we keep up with this?

Community
Help each other

Conferences, contests, individual researches

To fill the gaps in the knowledgebase

NTDS.DIT forensics

NTDS.DIT?
The central data store of Active Directory All the objects accessible through AD are stored in this database Very important data and evidence source in case of a computer forensic investigation

How can it be extracted?

The OS keeps it locked all the time The DC cannot be stopped
Online solution is needed Basically there are 2 options
3rd party forensic tools Volume Shadow Copy Service (built-in Microsoft solution)

Structure
NTDS.DIT is a database (ESE Extensible Storage Engine)
Microsoft JET Blue database engine (Exchange) Pagesize is the only difference (8192 Byte)

LIBESEDB (Joachim Metz)

Exports the tables of the database

NTDSXtract
No suitable opensource tool for processing the data
Only raw data can be extracted (libesedb) Logical connections are not documented

This framework is developed to fill this gap Modular approach

Easy to extend (plugins) Easy to understand

Programming language: Python

Modules - dstimeline
Extracts timeline information
Builds timeline from time information stored in the database
Object creation/modification/deletion User login etc

Support for Mactime body format

Timeformats
4 different timeformats are used
DB Time (file header) Log time (file header) FileTime (e.g.: last login timestamp) Truncated FileTime (pl.: time of record creation)

FileTime (100 nanoseconds since 01/01/1601) Truncated FileTime (seconds since 01/01/1601)

Modules dsdeletedobjects
Extracts deleted objects
Objects are not immediately deleted (tombstone)
Garbage collection on a timely basis (default is 12 hours)
Only predefined attributes are kept (list can be configured)

Other attributes can also be extracted before the tombstone time

Carving technique

Modules - dsusers
Extracts information regarding user objects
Time of account creation/modification Time of last login
synchronisation

Password hash, history dump (based on creddump)

Time of last password change

Certificates Membership infromation Supplemental credentials

Kerberos keys WDigest Cleartext password

Modules - dsgroups
Extracts information regarding group objects
Time of group creation/modification List of members
Link_table Time of membership deletion Primary group? (http://support.microsoft.com/kb/275523)

DEMO

Thank you for the attention!

csaba.barta@gmail.com cbarta@deloittece.com