/etc/passwd & /etc/shadow

linuxAuthentication & AccessDisk Image

Location

/etc/passwd and /etc/shadow

Description

User account database (passwd) listing all local accounts with UID, GID, home directory, and login shell. Shadow file containing password hashes, last change date, and account expiration settings.

Forensic Value

Comparing /etc/passwd against a known-good baseline reveals rogue accounts created for persistence. Accounts with UID 0 (other than root) indicate privilege escalation through account manipulation. The login shell field exposes accounts that should be nologin but were changed to /bin/bash. Password hash age in /etc/shadow identifies accounts whose credentials were recently changed during the compromise window.

Tools Required

catgrepdiffjohnhashcat

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical