Forensics Tools for AD

Joachim Metz and Csaba Barta have written excellent tools for the forensics analysis and offline security assessment of the Windows Active directory.

  • Joachim Mertz

    has written a lot of libraries to handle various file formats with a forensic analysis in mind libesedb and his other projects on SourceForge and Google Code
  • Csaba Barta

    is using the export of the ds database from libesedb and is doing excellent work in parsing the data and be able to perform offline queries and exports of data with his framework ntdsxtract. Here is the excellent white paper about NTDS.DIT