# NTDS dit

## Overview

**Evidence:** NTDS.dit\
**Description:** Collect Active Directory NTDS Database\
**Category:** System\
**Platform:** windows\
**Short Name:** ntdsdit\
**Is Parsed:** No\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** Yes

## Background

NTDS.dit is the Active Directory database file that stores all Active Directory data including user accounts, passwords, groups, and domain configuration. This file is only present on Windows Domain Controllers.

The database contains password hashes, Kerberos keys, and other critical Active Directory information. Compromise of NTDS.dit is a critical security incident as it contains credentials for all domain accounts.

## Data Collected

This collector gathers structured data about ntds.dit.

### NTDS.dit Data

| Field        | Description               | Example                  |
| ------------ | ------------------------- | ------------------------ |
| `Type`       | File type                 | NTDSDatabase             |
| `Name`       | File name                 | ntds.dit                 |
| `SourcePath` | Original file path        | C:\Windows\NTDS\ntds.dit |
| `FilePath`   | Relative path in evidence | Files/ntds.dit           |
| `FileSize`   | File size in bytes        | 10485760000              |

## Collection Method

This collector collects the Active Directory database from:

* `C:\Windows\NTDS\ntds.dit`

The file is collected using driver or NTFS raw access as it is typically locked by Active Directory services.

## Forensic Value

NTDS.dit is critical for Active Directory forensics and compromise assessment. Investigators use this data to extract domain user accounts and groups, recover password hashes for offline cracking, analyze Active Directory configuration, investigate domain compromise, track account modifications, and perform post-breach Active Directory analysis.