Users
Overview
Evidence: Users Description: Collect Users Category: System Platform: macOS Short Name: users Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
User account information provides details about all user accounts configured on the system, including local users, their group memberships, and account properties. This data is essential for understanding system access, identifying unauthorized accounts, and detecting privilege escalation or account manipulation.
User data helps investigators understand who has access to the system, identify suspicious or unauthorized accounts, and detect potential security policy violations related to user management.
Data Collected
This collector gathers structured data about users.
Users Data
ID
Primary key (auto-increment)
1
UserId
User ID
501
Name
Username
john
GroupId
Group ID
20
GroupName
Group name
staff
Description
User description
John Doe
Directory
Home directory
/Users/john
Shell
Default shell
/bin/zsh
Collection Method
This collector parses the necessary data from the users
table.
Usage
Why This Evidence Matters for Forensics
User account information is critical for understanding system access and detecting unauthorized accounts or privilege escalation. It helps investigators identify who has access to the system, detect suspicious account activity, and understand potential security policy violations.
Investigative Questions This Evidence Can Answer:
What user accounts exist on the system?
Which users have administrative privileges?
Are there any suspicious or unauthorized user accounts?
Attack Detection:
Unauthorized user accounts and privilege escalation (MITRE ATT&CK T1078)
Account manipulation and persistence techniques
Suspicious group memberships and permissions
Incident Response Applications:
Identify compromised or unauthorized user accounts
Understand system access during an incident
Track user account changes and modifications
Threat Hunting:
Hunt for suspicious user accounts and group memberships
Detect recently created or modified accounts
Identify accounts with unusual privileges or permissions
Compliance & Security Posture:
Audit user accounts for compliance requirements
Verify proper access controls and user management
Monitor for unauthorized account creation or modification
Notes
This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.
Last updated
Was this helpful?