Windows
There are two main places within the registry that contains that information: SAM hive for local and Microsoft accounts and Software\Microsoft\Windows NT\CurrentVersion\ProfileList
for Domain Accounts.
âïļâïļâïļâïļ More details see here.
To crack Windows NTLM hashes (for local accounts only), you’ll need both SYSTEM and SAM hives. SYSTEM contains an AES key ð for NTLM decryption and SAM contains the encrypted hash. After the hash is decrypted, either brute-force ðŠ or dictionary ð attack needs.
Xbox on later versions is a built-in game center. It also contains some information about the user (if he uses it for fames): C:\Users\%Username%\AppData\Local\LocalState\ModelManager\Xboxlivegamer.xml
(user profile).
Also, collect DPAPI master user and system keys: https://www.youtube.com/watch?v=vA4qa0uWRHU.
\Users\%username%\
\Users\%username%\Desktop
\Users\%username%\Documents
\Users\%username%\Downloads
Password hashes
SAM hive + SYSTEM.
macOS
/Users/%username%/
Password hashes
sudo plutil -p /var/db/dslocal/nodes/Default/users/<usename>.plist
Account Info
sudo plutil -p /private/var/db/dslocal/nodes/Default/Users/<User>.plist
Contains name, profile name, password hint, account image, UID
Get uids of users (incuding services’ uids): /private/var/db/dslocal/nodes/Default/sqlindex
(SQLite DB).
Login History
sudo su
cd /private/var/log/asl
cat BB.<date>.asl
BB.date.asl - Best before.
â ïļ When grabbing volumes from APFS system, better acquire Recovery volume as well, since it may contain account information as well (password hints, for example).
Tools ð : plutil
(built-in on Macs).
Also, FSEvents can give you a lot of information. Tools ð : FSEventsParser.
Linux
/etc/passwd
and /etc/shadow
.