Академический Документы
Профессиональный Документы
Культура Документы
Experiences
2007 - 5 host / incident 200 GB/host (sometimes 1TB) 2010 - 10 host / incident 150-300 GB/host 2011 - 15 host / incident min 300 GB/host
Difficulties - Virtualisation
Where is the host and the data?
Outsource / hosting / cloud
Not sure whether the analysis is possible or not Depends on the solution/access provided
NTDS.DIT forensics
NTDS.DIT?
The central data store of Active Directory All the objects accessible through AD are stored in this database Very important data and evidence source in case of a computer forensic investigation
Structure
NTDS.DIT is a database (ESE Extensible Storage Engine)
Microsoft JET Blue database engine (Exchange) Pagesize is the only difference (8192 Byte)
NTDSXtract
No suitable opensource tool for processing the data
Only raw data can be extracted (libesedb) Logical connections are not documented
Modules - dstimeline
Extracts timeline information
Builds timeline from time information stored in the database
Object creation/modification/deletion User login etc
Timeformats
4 different timeformats are used
DB Time (file header) Log time (file header) FileTime (e.g.: last login timestamp) Truncated FileTime (pl.: time of record creation)
FileTime (100 nanoseconds since 01/01/1601) Truncated FileTime (seconds since 01/01/1601)
Modules dsdeletedobjects
Extracts deleted objects
Objects are not immediately deleted (tombstone)
Garbage collection on a timely basis (default is 12 hours)
Only predefined attributes are kept (list can be configured)
Modules - dsusers
Extracts information regarding user objects
Time of account creation/modification Time of last login
synchronisation
Modules - dsgroups
Extracts information regarding group objects
Time of group creation/modification List of members
Link_table Time of membership deletion Primary group? (http://support.microsoft.com/kb/275523)
DEMO