ADTimeline - Active Directory forensics with replication metadata at the FIRST Technical Colloquium

The Forum of Incident Response and Security Teams (FIRST) Technical Colloquia & Symposia provides a discussion forum for FIRST member teams and invited guests to share information about vulnerabilities, incidents, tools and all other issues that affect the operation of incident response and security teams. ADTimeline, a forensic tool developed by ANSSI, was presented at the Amsterdam 2019 FIRST Technical Colloquium by Léonard Savina.

Active Directory is a critical infrastructure service; it therefore needs to be highly available. A key process to achieve this is the replication of the Active Directory database between Domain Controllers. This replication mechanism generates metadata storing information about modifications occurring on the object's attributes in the directory.

Active Directory modifications are recorded in the Domain Controllers Windows event logs but its scope depends on the auditing strategy configured. Unfortunately, those events are too rarely centralized, analyzed and archived. As a consequence, replication metadata is often the only artefact left for the forensic analyst to characterize changes made on the Active Directory.

Replication metadata gives you the time at which each replicated attribute for a given object was last changed. As a result, the timeline of modifications is partial. For each modification of a replicated attribute a version number is incremented.

The ADTimeline tool, written in PowerShell, was designed not only for forensics analysts but also for system administrators, enabling them to more easily spot modifications which are not compliant with their procedures. The tool, which is available on the agency’s Github, can run against a live Active Directory or process an Active Directory database extracted from a disk image and mounted on an analysis machine.