The goal of this workshop is to introduce the participants to the workings of the Enhanced Storage Engine (ESE) files.
During the workshop we will examine how to recover an ESE file if the header is injured: for example we will use an ntds.dit file. We will use the Apimonitor to find the function in the esent.dll file which returns with an error in case of an injured header. Then we use a debugger to analyze the given function and find the hash calculation algorithm. Finally we write a simple python script to implement the discovered algorithm and be able to reconstruct a working header.
- Virtual machine will be provided with all the necessary tools installed