Tiger (10.4) User Account Information

Looking at user accounts on a Macintosh running Mac OS X 10.4 (Tiger) means that you will be looking at the NetInfo database. One of the questions you will likely want to answer during any analysis is, what user has administrator privileges on this Macintosh? The following procedure will assist you in answer that question. Thank you Dave Melvin for breaking down all of the steps necessary to get to the relevant data.

This first thing you need to do is copy out the local.nidb file located at:

 /private/var/db/netinfo

Once you have it on an analysis Mac, open up Terminal and navigate to where you have the copy of the local.nidb

type the following command:

nicl -raw local.nidb

Do an ls and you will then see something like the following:

new-host-3:~/Desktop maclovin$ nicl -raw local.nidb
/ > ls
1          users
2          groups
3          machines
4          networks
5          protocols
6          rpcs
7          services
8          aliases
9          mounts
10         printers
93         afpuser_aliases
/ >

Change directory into groups and select the the specific group you want to read. For administrator information type the following:

read admin

You will then be presented a similar output as below:

name: admin
gid: 80
passwd: *
users: root maclovin research thinkforensics
generateduid: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050
smb_sid: S-1-5-32-544
realname: Administrators

For admin user information you will want to the review following groups:

admin
appserverusr
appserveradm

From the command line you can also output the info you need to a text file by using the following command:

nicl -raw local.nidb -read /groups/admin > admininfo.txt

If you want to everything in one shot, use the nidump command and dump the contents of the local.nidb folder. It is a bit messy and you will have to clean up some of the formatting. The command you would use is the following:

nidump -r / . > /nidump.txt