System
User Accounts & Authentication
Overview
macOS stores user account information in directory service plists, login/logout events in system logs, and remote access configuration in SSH directories. User account forensics establishes who had accounts on the system, when they logged in and out, what privilege escalation occurred, and what remote access was configured.
Forensic Significance
| Evidence Type | Forensic Value |
|---|---|
| User accounts | All local accounts, UIDs, shells, home directories |
| Login/logout history | User session timeline |
| Last logged-in user | Most recent interactive user |
| Sudo history | Privilege escalation events |
| SSH authorized keys | Who can remotely access this system |
| SSH known hosts | Remote systems the user has connected to |
| Login items | Applications that auto-start at login |
File Locations
| Artifact | Path | Format |
|---|---|---|
| User account plists | /var/db/dslocal/nodes/Default/users/*.plist | Plist |
| Last logged-in user | /Library/Preferences/com.apple.loginwindow.plist | Plist |
| Login items (user) | ~/Library/Preferences/com.apple.loginitems.plist | Plist |
| Login items (modern) | ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm | Binary |
| Authorization database | /var/db/auth.db | SQLite |
| SSH authorized keys | ~/.ssh/authorized_keys | Text |
| SSH known hosts | ~/.ssh/known_hosts | Text |
| SSH config | ~/.ssh/config | Text |
| SSH private keys | ~/.ssh/id_* | PEM / OpenSSH |
| Sudo log | Unified Logs / /var/log/system.log | Log |
Key Data
User Account Plists
Each file in /var/db/dslocal/nodes/Default/users/ represents a local account:
| Key | Description |
|---|---|
name | Username (login name) |
realname | Full display name |
uid | Numeric user ID |
gid | Primary group ID |
home | Home directory path |
shell | Default shell |
generateduid | UUID for the account |
ShadowHashData | Password hash data (salted SHA-512 PBKDF2) |
accountPolicyData | Password policy, failed login count, last login time |
IsHidden | Whether account is hidden from login window |
Login Window Preferences
defaults read /Library/Preferences/com.apple.loginwindow
| Key | Description |
|---|---|
lastUserName | Most recent user to log in |
autoLoginUser | Auto-login user (if configured) |
SHOWFULLNAME | Whether login shows name field vs. user list |
SSH Known Hosts
Each line represents a remote server the user has connected to via SSH:
server.example.com,192.168.1.100 ssh-ed25519 AAAAC3Nza...
This reveals remote systems the user has accessed, including internal servers, cloud instances, and development environments.
SSH Authorized Keys
Each line represents a public key that can log in as this user:
ssh-ed25519 AAAAC3Nza... user@remote-machine
The comment field (e.g., user@remote-machine) indicates where the key was generated.
Key Fields for Analysis
Enumerate All Users
# List all local user accounts
dscl . -list /Users UniqueID | sort -k2 -n
# Read specific user details
dscl . -read /Users/username
# Check for hidden users
dscl . -list /Users IsHidden | grep 1
Login History (Unified Logs)
# Login events
log show --predicate 'eventMessage contains "loginwindow" AND eventMessage contains "login"' --last 30d
# Sudo events
log show --predicate 'process == "sudo"' --last 30d
# SSH authentication
log show --predicate 'process == "sshd"' --last 30d
Analysis Notes
- Hidden accounts: Accounts with
IsHidden = 1do not appear on the login screen. These could be legitimate service accounts or unauthorized hidden accounts. - UID analysis: UIDs below 500 are typically system accounts. Regular user accounts start at 501. An account with a low UID that is not a known system account is suspicious.
- Password policy data: The
accountPolicyDatawithin user plists containsfailedLoginCountandfailedLoginTimestamp, which reveal brute-force login attempts. - SSH key analysis: Review authorized_keys for unexpected entries. Check private keys for keys without passphrases (files with no encrypted header).
- sudo audit: Sudo events in Unified Logs show which users escalated to root and what commands they ran.
- Login items: Applications in login items auto-start when the user logs in, making this a persistence mechanism. Cross-reference with Launch Agents.
Version Differences
| macOS Version | Changes |
|---|---|
| 10.15 (Catalina) | Full Disk Access required to read user plists |
| 13 (Ventura) | Login Items managed via System Settings; backgrounditems.btm format |
| 14 (Sonoma) | Enhanced login item management |
Tool Support
| Tool | Support |
|---|---|
| macfor | User enumeration implemented; detailed auth analysis planned |
| dscl (macOS built-in) | Directory service command-line tool |
| log (macOS built-in) | Query login/sudo events |
| last (macOS built-in) | Show login history |
References
- Apple Open Directory Documentation
- macOS User Account Forensics - SANS
- SANS FOR518: Mac and iOS Forensic Analysis