Couple of basic (though urgent) questions; how would I know whether Active Directory was used from looking at an image of Windows Server 2008, and if it had where would I find information as to who had logged on the domain and from what device? Thanks.
Couple of basic (though urgent) questions; how would I know whether Active Directory was used from looking at an image of Windows Server 2008, and if it had where would I find information as to who had logged on the domain and from what device? Thanks.
Does this Windows Server 2008 contains the AD?
If so did you try the event logs of the domain (AD) server; e.g. especially the security log ?
If enabled, it often contains a lot of info about domain log-ons/offs. Or are you looking for information about analysing the AD itself ?
If not did you try the local event logs, cached credentials, date/times of files in the user profiles ?
Hi, I've got access to the logs, but my question is more basic than that - how would I quickly check whether it was running AD?
Hi, I've got access to the logs, but my question is more basic than that - how would I quickly check whether it was running AD?
From the top-of-my-head
An indication could be the presence of the "directory service" event logs.
Or what about the registry information on the service control manager.
The presence of the AD database %SystemRoot%\ntds\NTDS.DIT
Thanks joachimm. I've seen the presence of NTDS.DIT so will investigate further.
Thanks joachimm. I've seen the presence of NTDS.DIT so will investigate further.
Noprob. Note that NTDS.DIT is an ESE database.
The last time I checked Encase provides support for AD databases; even the directory hierarchy.
libesedb (and probably EseDbViewer) only provides you low-level info, not the directory hierarchy but the relational database scheme.