USERS
The USERS plugin collects information about current and deleted users on the system. If the mac is connected to a windows domain, then domain users who logged on to the system will also be listed. It returns basic account info, creation info, password info, last successful/failed logon and directory related information. Not all information is available in every version of macOS!
If the system has auto-login enabled, then the stored password is decrypted and made available here.
This plugin does not support standalone mode.
$ python mac-apt.py -x -o ~/Case_Output E01 ~/Acquisition.E01 USERS
| Field Name | Notes |
|---|---|
| Username | Username of User |
| Realname | Name of User |
| Homedir | Home directory of the User |
| UID | Unique ID UID for non-users accounts is below 500 UID for created user accounts is above 500 |
| GID | Group ID |
| UUID | Universally Unique Identifier |
| CreationDate | Date user was created |
| DeletedDate | Date user was deleted (if applicable) |
| FailedLoginCount | Count of failed login attempts |
| LastLoginTime | Last time the user logged in |
| PasswordLastSetTime | Last time the password was set |
| PasswordHint | Password hint |
| Password | - |
| DARWIN_USER_DIR | - |
| DARWIN_USER_TEMP_DIR | - |
| DARWIN_USER_CACHE_DIR | - |
Above output is incomplete.