Evidence: Active Directory Logs
Description: Collect Active Directory Logs
Category: Applications
Platform: windows
Short Name: adl
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
Active Directory NTDS directory contains the AD database and transaction logs. This is the core directory service database that stores user accounts, groups, computers, and organizational structure for Windows domains.
Data Collected
This collector gathers structured data about active directory logs.
Collection Method
This collector gathers files from the Windows NTDS directory, including the Active Directory database (ntds.dit) and associated transaction logs.
Forensic Value
Active Directory data is essential for investigating credential theft, privilege escalation, unauthorized access, account manipulation, and domain compromise. The NTDS.dit database contains password hashes and is a high-value target for attackers.
