Users

Overview

Evidence: Users Description: Collect Users Category: System Platform: macOS Short Name: users Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

User account information provides details about all user accounts configured on the system, including local users, their group memberships, and account properties. This data is essential for understanding system access, identifying unauthorized accounts, and detecting privilege escalation or account manipulation.

User data helps investigators understand who has access to the system, identify suspicious or unauthorized accounts, and detect potential security policy violations related to user management.

Data Collected

This collector gathers structured data about users.

Users Data

Field
Description
Example

ID

Primary key (auto-increment)

1

UserId

User ID

501

Name

Username

john

GroupId

Group ID

20

GroupName

Group name

staff

Description

User description

John Doe

Directory

Home directory

/Users/john

Shell

Default shell

/bin/zsh

Collection Method

This collector parses the necessary data from the users table.

Usage

Why This Evidence Matters for Forensics

User account information is critical for understanding system access and detecting unauthorized accounts or privilege escalation. It helps investigators identify who has access to the system, detect suspicious account activity, and understand potential security policy violations.

Investigative Questions This Evidence Can Answer:

  • What user accounts exist on the system?

  • Which users have administrative privileges?

  • Are there any suspicious or unauthorized user accounts?

Attack Detection:

  • Unauthorized user accounts and privilege escalation (MITRE ATT&CK T1078)

  • Account manipulation and persistence techniques

  • Suspicious group memberships and permissions

Incident Response Applications:

  • Identify compromised or unauthorized user accounts

  • Understand system access during an incident

  • Track user account changes and modifications

Threat Hunting:

  • Hunt for suspicious user accounts and group memberships

  • Detect recently created or modified accounts

  • Identify accounts with unusual privileges or permissions

Compliance & Security Posture:

  • Audit user accounts for compliance requirements

  • Verify proper access controls and user management

  • Monitor for unauthorized account creation or modification

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

Last updated

Was this helpful?