Notifications
Clear all

Where is "Active Directory Information Extractor"?

5 Posts
3 Users
0 Likes
727 Views
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

My friend she showed me a screenshot as below link yesterday. The name of this document is “EnCase Forensic Features and Functionality”. She asked me that why some feature is missing in her EnCase Forensic software???

http//www.cnblogs.com/pieces0310/p/5616190.html

Then she showed me what’s missing in her EnCase. She said to me that’s it – “Active Directory Information Extractor”. It’s very interesting. I’ve been using EnCase for such a very long time and I’ve never seen this feature before.

I conduct an investigation on it and it seems that it’s an EnScript as below
This EnScript is designed to extract the Username (Both Displayname and Login Name), the SID, the Home directory, the Email address of each User and the Last Login, Last Failed Login, and Next Password Change dates for each account. Existing Group Names are also located and presented.

Now my question is where to get this EnScript and what version of Windows Server it supports. I’d appreciate your providing me any info you have. Thanks.

 
Posted : 25/06/2016 10:06 am
(@jerryw)
Posts: 56
Trusted Member
 

In version 6 go to EnScripts>Forensic>Case Processor and its within one of the first few categories.

We found it and tried it today but unfortunately didn't get anything of use back. That may be due to looking at a newer version of Server.

Hope that helps finding it anyway.

 
Posted : 01/07/2016 8:43 pm
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Thank you JerryW. Some said that EnScript "Active Directory Information Extractor"could not support Windows 2003 Server or above.

So I have to seek for another solutions to extract Active Directory data(such as domain user accounts) from evidence files acquired from a Domain Controller running Windows 2012 Server.

 
Posted : 02/07/2016 11:44 am
(@bithead)
Posts: 1206
Noble Member
 

PowerShell is your friend. Virtualize the environment and go crazy. Here is an example Export list of AD users to CSV

There are also many articles around that describe analysis of ntds.dit, HERE is an example.

 
Posted : 05/07/2016 9:10 am
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Thank you Bithead. But powershell shell script have to run on a Live system, right? I have to boot up that Windows server and excute powershell script. Of course it's the alternative solution. Still the best solution to me is to extract AD info from a static evidence file.

 
Posted : 09/07/2016 7:25 am
Share: