I see clear text strings that appear to be computer names in the
NTDS.dit file. However, the Encase v5 script, which pulls out computer
accounts and user accounts, does not display these computer names.
Either these computer names are tombstoned accounts, computer accounts
that Encase doesn't recognize or another type of account. I did post to
the Encase MBs and have not gotten a response.
-Greg
-----Original Message-----
From: David Smith [mailto:nich95ds@gmail.com]
Sent: Friday, July 07, 2006 11:33 AM
To: Greg Kelley; forensics@securityfocus.com
Subject: RE: Reading Active Directory Database
So are you saying that you believe the information is there, but the
EnCase script is not finding it? I don't know of any application like
that offhand. Have you tried checking the Guidance Software message
boards?
-----Original Message-----
From: Greg Kelley [mailto:gkelley@vestigeltd.com]
Sent: Wednesday, July 05, 2006 12:21 PM
To: forensics@securityfocus.com
Subject: Reading Active Directory Database
Has anyone found an application that allows one to read the entire
Active Directory file (NTDS.dit) from a Windows 2000 (or 2003) server? I
know that Encase has a script to perform this function, but I believe it
is missing information in the case I am working on.
Greg Kelley, EnCE
Vestige Digital Investigations
Computer Forensics | Electronic Discovery | Corporate Surety
46 Public Square, Ste 220
Medina, OH 44256
(330)721-1205 x5432
(330)721-1206 Fax
http://www.vestigeltd.com
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.8/380 - Release Date: 6/30/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.9/382 - Release Date: 7/4/2006
