# Active Directory Logs

## Overview

**Evidence:** Active Directory Logs\
**Description:** Collect Active Directory Logs\
**Category:** Applications\
**Platform:** windows\
**Short Name:** adl\
**Is Parsed:** No\
**Sent to Investigation Hub:** No\
**Collect File(s):** Yes

## Background

Active Directory NTDS directory contains the AD database and transaction logs. This is the core directory service database that stores user accounts, groups, computers, and organizational structure for Windows domains.

## Data Collected

This collector gathers structured data about active directory logs.

## Collection Method

This collector gathers files from the Windows NTDS directory, including the Active Directory database (ntds.dit) and associated transaction logs.

## Forensic Value

Active Directory data is essential for investigating credential theft, privilege escalation, unauthorized access, account manipulation, and domain compromise. The NTDS.dit database contains password hashes and is a high-value target for attackers.