Articles
Now Reading
OS X System Keychain Forensic Analysis
1

OS X System Keychain Forensic Analysis

As you know, OS X Keychain system consists of three files: system keychain (/Library/Keychain/System.keychain), user keychain (~/Library/Keychain/login.keychain) and iCloud keychain (~/Library/Keychains/<PlatformUUID>/keychain-db2.db). Today we are going to talk about the first one – system keychain.

The most interesting forensic artifacts from this keychain are Wi-Fi SSIDs and keys – these can help an examiner to determine first connection time and last key modification time on wireless access point. Of course, the data in System.keychain is encrypted, but there are some tools, both commercial and open source, capable of decrypting it. One of them is Chainbreaker developed by n0fate Forensic Lab.

You can use it both on OS X and Windows workstation. Both versions are available here. To decrypt system keychain with Chainbreaker, we’ll need the master key. Where can an examiner get it? The answer is – SystemKey file. You can find it in /private/var/db. The key isn’t encrypted. All you need is copy and paste 24 bytes master key – it’s a 24byte DES key(192 bits):

master_key_weare4n6

Figure 1. The master key (highlighted)

Now we’ve got all we need to decrypt system keychain with Chainbreaker. Start the app (we use OS X version), right-click Keychains pane and choose Add New Keychain File. Now System.keychain is added. Go to hex-editor of your choice and copy the master key from the SystemKey. Click Is the master key? and paste the key. Click Analysis to run decryption process:

System_keychain_decrypted

Figure 2. System keychain decryption process

When the process is finished, you will see the results in Tables pane:

results_keychain_decryption

As you can see, we got 48 records about wireless access points the user was connected to, including timestamps, of course.

About the authors:

Igor Mikhaylov

Interests: Computer, Cell Phone & Chip-Off Forensics

Oleg Skulkin

Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics

1 Comments

Leave a Response