NTDS.dit

Overview

Evidence: NTDS.dit Description: Collect Active Directory NTDS Database Category: System Platform: Windows Short Name: ntdsdit Is Parsed: No - Raw ESE database Sent to Investigation Hub: Yes Collect File(s): No

Background

NTDS.dit is the Active Directory database file that stores all Active Directory data including user accounts, passwords, groups, and domain configuration. This file is only present on Windows Domain Controllers.

The database contains password hashes, Kerberos keys, and other critical Active Directory information. Compromise of NTDS.dit is a critical security incident as it contains credentials for all domain accounts.

Data Collected

Collection Method

This collector collects the Active Directory database from:

• C:\Windows\NTDS\ntds.dit

The file is collected using driver or NTFS raw access as it is typically locked by Active Directory services.

Usage

NTDS.dit is critical for Active Directory forensics and compromise assessment. Investigators use this data to extract domain user accounts and groups, recover password hashes for offline cracking, analyze Active Directory configuration, investigate domain compromise, track account modifications, and perform post-breach Active Directory analysis.

Known Limitations

• Only present on Domain Controllers

• Can be very large (multi-GB on large domains)

• File is locked by Active Directory service

• Requires specialized tools to parse (ESE database format)

• Contains highly sensitive credential data

Notes

NTDS.dit is one of the most sensitive files in a Windows domain. Extraction tools like secretsdump.py or DSInternals can extract password hashes and Kerberos keys. Handle with extreme care and appropriate security measures.