Evidence: Shadow
Description: Collect shadow content
Category: Applications
Platform: linux
Short Name: shadow
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Linux shadow file contains encrypted password information and account security settings. This data is essential for understanding password policies, detecting password-based attacks, and investigating authentication security incidents.
Data Collected
This collector gathers structured data about shadow.
Shadow Data
Field
Description
Example
Username
Username
Example value
Expire
Expire
123
Inactive
Inactive
123
LastChange
Last Change
123
Max
Max
123
Min
Min
123
PasswordStatus
Password Status
Example value
Warning
Warning
123
Collection Method
This collector parses the necessary data from the /etc/shadow file and records data into the shadow table.
Forensic Value
This evidence is crucial for forensic investigations as it provides password and authentication information. It helps investigators understand password policies, detect password-based attacks, and investigate authentication security incidents.
