OS X System Keychain Forensic Analysis
As you know, OS X Keychain system consists of three files: system keychain (/Library/Keychain/System.keychain), user keychain (~/Library/Keychain/login.keychain) and iCloud keychain (~/Library/Keychains/<PlatformUUID>/keychain-db2.db). Today we are going to talk about the first one – system keychain.
The most interesting forensic artifacts from this keychain are Wi-Fi SSIDs and keys – these can help an examiner to determine first connection time and last key modification time on wireless access point. Of course, the data in System.keychain is encrypted, but there are some tools, both commercial and open source, capable of decrypting it. One of them is Chainbreaker developed by n0fate Forensic Lab.
You can use it both on OS X and Windows workstation. Both versions are available here. To decrypt system keychain with Chainbreaker, we’ll need the master key. Where can an examiner get it? The answer is – SystemKey file. You can find it in /private/var/db. The key isn’t encrypted. All you need is copy and paste 24 bytes master key – it’s a 24byte DES key(192 bits):
Figure 1. The master key (highlighted)
Now we’ve got all we need to decrypt system keychain with Chainbreaker. Start the app (we use OS X version), right-click Keychains pane and choose Add New Keychain File. Now System.keychain is added. Go to hex-editor of your choice and copy the master key from the SystemKey. Click Is the master key? and paste the key. Click Analysis to run decryption process:
Figure 2. System keychain decryption process
When the process is finished, you will see the results in Tables pane:
As you can see, we got 48 records about wireless access points the user was connected to, including timestamps, of course.
About the authors:
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics