User Accounts

User accounts are a crucial component of any digital forensics investigation. They provide valuable information about who had access to a system, what they did while logged in, and what resources they may have accessed.

User accounts can be local to the host or managed centrally using Active Directory, OpenLDAP, Novell eDirectory, etc.

There are three main types of user accounts on a Linux System:

Superuser account: Also known as the root, this account has full administrative privileges on the system.
Regular user account: Regular user accounts have limited access to the system. They may only access files and resources they are explicitly granted access. A regular user can be granted additional privileges by adding the user to a group with the desired privileges or by granting the user specific permissions on specific files or directories.
System account (Service account): System accounts correspond to a service running on the system rather than to someone using the system. Service accounts are used by system services such as web servers, mail transport agents, databases etc. Note that there is no formal distinction between a regular user account vs. a system/service account at a system level. The key differences are that a regular user account has a login shell and wider privileges.

Digital forensics & Intrusion Response Playbook - *nix OS

User Accounts