Into ntds.dit

A couple of days ago we had a chance to see that CIA Triad contains the "Availability" part for a reason. One tiny kernel driver, less than one percent of computers affected, and every single news agency around the world had a reason to specialize in operating systems design.
​
One of the issues some companies faced was related to BitLocker keys.
​
Such keys were necessary to access Windows Boot Volume in offline mode, allowing in turn to remove .sys file making computer unbootable. When it comes to Domain Controllers, we have a chicken and egg problem: to read key from AD, we need to fix DC, which requires the proper BitLocker recovery key... If they have no backup, the problem seems serious, but if they can reach for archival version of ntds.dit there is a hope.
​
As we all know, ntds.dit is a database, but did you try to read it raw? Starting from the lowest layer, we can say it's ESE (Extensible Storage Engine), also known as JET Blue.
​
Windows uses it for couple of purposes (e.g. Windows Search database, File History, etc.) including Active Directory data storage. It is about 30 years old but still seems to be the best DB engine for such workloads. Theoretically, opening ndts.dit is not hard. Even if you have no DB or programing experience, you can use free tools like NirSoft ESEDatabaseView and view everything as tables. For Active Directory database it's mainly about the "datatable" table, which contains the most important data.
​
The problem is that it's easily readable, but not very user-friendly. If you scroll through thousands of rows and similar number of columns, it's easy to miss important data. Add "friendly" column names like "ATTc590021" or "ATTm131266" and you get the whole image. Thankfully, Windows comes fitted with libraries needed to read the ESE databases from PowerShell.
​
If we know what we are looking for, scripting search or analysis is not that hard. Seeking through rows, focusing on the "ATTm591788" column, responsible for "ms-FVE-RecoveryPassword" AD attribute, returns all BitLocker recovery passwords in couple of seconds. I would encourage you to write such script on your own, but if you have no time to do it, you can find the ready one at https://github.com/gtworek/PSBits/blob/master/Misc/ExtractFVEPasswordsFromNTDS.ps1
​
It can be also used as a "boilerplate" for reaching raw ntds.dit records, processing them in any other way you find useful.