tailieunhanh - Active Directory Offline Hash Dump and Forensic Analysis

Disclaimer The views, opinions and thoughts in this document are the views, opinions and thoughts of the author of the document and do not represent the views, opinions or thoughts of any past or current employer of the author or any other third person. The document is provided 'as is' without warranty of any kind. Use at your own responsibility. The software tools are provided for educational purposes only. | Active Directory Offline Hash Dump and Forensic Analysis Csaba Barta July 2011 Disclaimer The views opinions and thoughts in this document are the views opinions and thoughts of the author of the document and do not represent the views opinions or thoughts of any past or current employer of the author or any other third person. The document is provided as is without warranty of any kind. Use at your own responsibility. The software tools are provided for educational purposes only. Table of contents Active Directory Offline Hash Dump and Forensic Analysis Table of contents Introduction What is Obtaining and the registry Structure of Password hash encryption used in Active Directory Password Encryption Key Password Hash Decryption Decrypting the password hash history Forensic analysis of user objects stored in Important fields Tools developed by the author Future work Introduction The author participated in a project where it was required to extract the password hashes from an offline NTDS. DIT file. After searching the Internet for an available tool the author found that there was no open source tool. Because of that the author decided to research the internals of password encryption and storage of Active Directory and create a tool for the forensic community. A debt of gratitude to the author s colleague Laszlo Toth http who helped a lot in researching the encryption algorithms used during password storage. Thank you Laszlo