/etc/passwd & /etc/shadow

LinuxAuthentication & AccessDisk Image

Location

/etc/passwd and /etc/shadow

Description

User account database (passwd) listing all local accounts with UID, GID, home directory, and login shell. Shadow file containing password hashes, last change date, and account expiration settings.

Forensic Value

Comparing /etc/passwd against a known-good baseline reveals rogue accounts created for persistence. Accounts with UID 0 (other than root) indicate privilege escalation through account manipulation. The login shell field exposes accounts that should be nologin but were changed to /bin/bash. Password hash age in /etc/shadow identifies accounts whose credentials were recently changed during the compromise window.

Tools Required

catgrepdiffjohnhashcat

Collection Commands

cp /etc/passwd /etc/shadow /etc/group /forensics/output/

awk

awk -F: '$3 == 0 || $3 >= 1000' /etc/passwd > /forensics/output/notable_accounts.txt

grep

grep -v "nologin\|false" /etc/passwd > /forensics/output/interactive_accounts.txt

stat

stat /etc/passwd /etc/shadow > /forensics/output/account_file_timestamps.txt

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.

MITRE ATT&CK Techniques

T1003.008T1136.001T1078.003T1087.001

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service

Acquisition Methods

UAC (Unix-like Artifacts Collector)

linux — triage

tar Logical Collection

linux — logical

Velociraptor Offline Collector (Linux)

linux — triage