Shadow
Overview
Section titled “Overview”Evidence: Shadow
Description: Collect shadow content
Category: Applications
Platform: linux
Short Name: shadow
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Linux shadow file contains encrypted password information and account security settings. This data is essential for understanding password policies, detecting password-based attacks, and investigating authentication security incidents.
Data Collected
Section titled “Data Collected”This collector gathers structured data about shadow.
Shadow Data
Section titled “Shadow Data”| Field | Description | Example |
|---|---|---|
Username | Username | Example value |
Expire | Expire | 123 |
Inactive | Inactive | 123 |
LastChange | Last Change | 123 |
Max | Max | 123 |
Min | Min | 123 |
PasswordStatus | Password Status | Example value |
Warning | Warning | 123 |
Collection Method
Section titled “Collection Method”This collector parses the necessary data from the /etc/shadow file and records data into the shadow table.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it provides password and authentication information. It helps investigators understand password policies, detect password-based attacks, and investigate authentication security incidents.