Update Users and Accounts.md

NextGenSec-Github · web-flow · commit 3d51747fbfb8 · 2024-04-19T04:28:05.000+05:00
diff --git a/DFIR/Digital Forensics/Linux/Users and Accounts.md b/DFIR/Digital Forensics/Linux/Users and Accounts.md
@@ -1,4 +1,4 @@
-# User Accounts (etc/passwd)
+# User Accounts (/etc/passwd)
 The /etc/passwd file is a fundamental system file in Unix-like operating systems, including Linux. It stores essential information about user accounts on the system. Each line in the file represents a user account and is formatted with several fields separated by colons (:). Here's a typical structure of a line in /etc/passwd:
 
 ```bash
@@ -13,3 +13,15 @@ username:password:UID:GID:GECOS:home_directory:login_shell
 | GECOS            | General Electric Comprehensive Operating System (GECOS) field, traditionally used to store additional information about the user, such as the user's full name and other details. |
 | home_directory   | The user's home directory, where they are placed upon login.                                                     |
 | login_shell      | The default shell for the user, which determines the command interpreter environment when the user logs in.     |
+
+# Groups
+The `/etc/group` stores information about groups on the system, including group names and their associated group IDs (GIDs), as well as the list of users who belong to each group. Similar to /etc/passwd, each line in /etc/group represents a group and is formatted with several fields separated by colons (:). Here's the typical structure of a line in /etc/group:
+```bash
+group_name:password:GID:user_list
+```
+| Field        | Description                                                                                                      |
+|--------------|------------------------------------------------------------------------------------------------------------------|
+| group_name   | The name of the group.                                                                                           |
+| password     | Historically, this field used to store the encrypted group password. However, it's rarely used nowadays, and an 'x' character is typically placed here to indicate that the actual password is stored in the /etc/gshadow file. |
+| GID          | The numerical Group ID, a unique identifier for the group.                                                       |
+| user_list    | A comma-separated list of usernames that are members of the group.                                                |
