Digital Forensics: Active Directory Ntds.dit

The Ntds.dit file is an Active Directory database that maintains information about user objects, groups, and group membership. It contains the password hashes for all domain users. All data in Active Directory is stored in the file ntds.dit (by default located in C:\Windows\NTDS) on every domain controller.

ntdsxtract is a framework to provide a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT). (Google for ntdsxtract tool)