NTDS.dit
Overview
Section titled “Overview”Evidence: NTDS.dit
Description: Collect Active Directory NTDS Database
Category: System
Platform: windows
Short Name: ntdsdit
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”NTDS.dit is the Active Directory database file that stores all Active Directory data including user accounts, passwords, groups, and domain configuration. This file is only present on Windows Domain Controllers.
The database contains password hashes, Kerberos keys, and other critical Active Directory information. Compromise of NTDS.dit is a critical security incident as it contains credentials for all domain accounts.
Data Collected
Section titled “Data Collected”This collector gathers structured data about ntds.dit.
NTDS.dit Data
Section titled “NTDS.dit Data”| Field | Description | Example |
|---|---|---|
Type | File type | NTDSDatabase |
Name | File name | ntds.dit |
SourcePath | Original file path | C:\Windows\NTDS\ntds.dit |
FilePath | Relative path in evidence | Files/ntds.dit |
FileSize | File size in bytes | 10485760000 |
Collection Method
Section titled “Collection Method”This collector collects the Active Directory database from:
C:\Windows\NTDS\ntds.dit
The file is collected using driver or NTFS raw access as it is typically locked by Active Directory services.
Forensic Value
Section titled “Forensic Value”NTDS.dit is critical for Active Directory forensics and compromise assessment. Investigators use this data to extract domain user accounts and groups, recover password hashes for offline cracking, analyze Active Directory configuration, investigate domain compromise, track account modifications, and perform post-breach Active Directory analysis.