macOS
/Users/%username%/
Password hashes
sudo plutil -p /var/db/dslocal/nodes/Default/users/<usename>.plist
Account Info
sudo plutil -p /private/var/db/dslocal/nodes/Default/Users/<User>.plist
Contains name, profile name, password hint, account image, UID
Get uids of users (incuding servicesβ uids): /private/var/db/dslocal/nodes/Default/sqlindex (SQLite DB).
Login History
sudo su
cd /private/var/log/asl
cat BB.<date>.asl
BB.date.asl - Best before.
β οΈ When grabbing volumes from APFS system, better acquire Recovery volume as well, since it may contain account information as well (password hints, for example).
Tools π : plutil (built-in on Macs).
Also, FSEvents can give you a lot of information. Tools π : FSEventsParser.
Linux
/etc/passwd and /etc/shadow.
User Account/Data
β’ /home/%username%/* β’ /etc/passwd
β’ /etc/shadow
β’ /etc/sudoers
β’ /etc/group
Unused accounts
Look for unexpected account, especially those that donβt have password (empty).
cat /etc/shadow | awk -F: '($2==""){print $1}' #
Effective ID vs Real ID