User Account/Data
âĒ /home/%username%/* âĒ /etc/passwd
âĒ /etc/shadow
âĒ /etc/sudoers
âĒ /etc/group
Unused accounts
Look for unexpected account, especially those that don’t have password (empty).
cat /etc/shadow | awk -F: '($2==""){print $1}' #
Effective ID vs Real ID
References
1
eForensics Magazine, Linux Forensics and Security