macOS
/Users/%username%/
Password hashes
sudo plutil -p /var/db/dslocal/nodes/Default/users/<usename>.plist
Account Info
sudo plutil -p /private/var/db/dslocal/nodes/Default/Users/<User>.plist
Contains name, profile name, password hint, account image, UID
Get uids of users (incuding services’ uids): /private/var/db/dslocal/nodes/Default/sqlindex (SQLite DB).
Login History
sudo su
cd /private/var/log/asl
cat BB.<date>.asl
BB.date.asl - Best before.
⚠️ When grabbing volumes from APFS system, better acquire Recovery volume as well, since it may contain account information as well (password hints, for example).
Tools 🛠: plutil (built-in on Macs).
Also, FSEvents can give you a lot of information. Tools 🛠: FSEventsParser.
Linux
/etc/passwd and /etc/shadow.
User Account/Data
• /home/%username%/* • /etc/passwd
• /etc/shadow
• /etc/sudoers
• /etc/group
Unused accounts
Look for unexpected account, especially those that don’t have password (empty).
cat /etc/shadow | awk -F: '($2==""){print $1}' #
Effective ID vs Real ID