NTDS dit

Overview

Evidence: NTDS.dit Description: Collect Active Directory NTDS Database Category: System Platform: windows Short Name: ntdsdit Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

NTDS.dit is the Active Directory database file that stores all Active Directory data including user accounts, passwords, groups, and domain configuration. This file is only present on Windows Domain Controllers.

The database contains password hashes, Kerberos keys, and other critical Active Directory information. Compromise of NTDS.dit is a critical security incident as it contains credentials for all domain accounts.

Data Collected

This collector gathers structured data about ntds.dit.

NTDS.dit Data

Field

Description

Example

Type

File type

NTDSDatabase

Name

File name

ntds.dit

SourcePath

Original file path

C:\Windows\NTDS\ntds.dit

FilePath

Relative path in evidence

Files/ntds.dit

FileSize

File size in bytes

10485760000

Collection Method

This collector collects the Active Directory database from:

C:\Windows\NTDS\ntds.dit

The file is collected using driver or NTFS raw access as it is typically locked by Active Directory services.

Forensic Value

NTDS.dit is critical for Active Directory forensics and compromise assessment. Investigators use this data to extract domain user accounts and groups, recover password hashes for offline cracking, analyze Active Directory configuration, investigate domain compromise, track account modifications, and perform post-breach Active Directory analysis.

PreviousNotepad++ Sessions NextObject Directory

Last updated 15 days ago

Was this helpful?