Examining Mac OS X User & System Keychains

Simon Key


To forensic examiners with little or no knowledge of Mac OS X, the concept of a Mac OS X keychain may be an alien one. This article aims to provide an overview of the following with regards to Mac OS X keychains –
  • Purpose
  • Content
  • Location
  • Structure
  • Options for examination
We will be concentrating on two particular types of keychain: the user login keychain and the Mac OS X system keychain.

What Are Mac OS X Keychains?

The Mac OS X Developer web-site has this to say with regards to keychains –

Keychain Services provides secure storage of passwords, keys, certificates, and notes for one or more users. A user can unlock a keychain with a single password, and any Keychain Services–aware application can then use that keychain to store and retrieve passwords.

From a layman’s perspective, a keychain is simply a type of file designed for the storage of security-sensitive data.

Apple designed keychains with the intent that they would act as a central repository for such data and, as a result, created an application programming interface (API) allowing developers to leverage the functionality provided by Keychain Services.

So, to put it another way, Apple encourages application developers to store security-sensitive information in a user’s keychain rather than creating their own mechanism for this purpose. This allows for a consistent approach, one that stores sensitive data in a central location that will benefit the user in a number of ways including the backing-up of such data and the transferal of it to other Apple devices.

One thing worth noting before we go any further is that the use of keychains isn’t restricted to users. As already mentioned above, the Mac OS X system has its own keychain, which may contain additional information of value to the forensic examiner. We will examine an example of this type of keychain later in this article.

What Information Am I Likely To Find of Interest Within a Keychain?

The following is a list of items commonly stored in keychains that are likely to be of interest to the forensic examiner –
  • Web-site passwords stored by Safari.
  • Network passwords.
  • The password used to store encrypted form values entered via Safari (this is subject of a separate article by my colleague, James Habben).
  • Application passwords.
  • Wi-Fi passwords.
  • Encrypted disk image passwords/encryption-keys.
  • Secure notes.
  • Encryption keys / certificates.
The importance of being able to access such information needs little elaboration but, that said, examination of keychain data may also be useful to identify passwords that may have been re-used for other purposes; also passwords that share a common theme, such as names of pets, family members or members of a favorite football team. Use of such passwords is a common weakness, one that can sometimes be exploited to good effect by the examiner.

What is a Password in the Context of a Mac OS X Keychain?

It’s important to be clear on exactly what is meant by a password/passphrase when dealing with Mac OS X keychains.

Typing the term ‘define:password’ into Google results in the following explanations –
  • A secret word or phrase that must be used to gain admission to something.
  • A string of characters that allows access to a computer, interface, or system.
When it comes to viewing the contents of a keychain, we will most likely see many passwords/passphrases matching the first of these two definitions, i.e. plain-text.

That said, from a programmatic point of view, a password contained in a keychain is an encrypted array of bytes. It may be intended for these bytes to be interpreted as text but that’s not guaranteed to be the case.

This can make life a little tricky when reading application passwords because only the developer that put them there can say with any authority exactly how they’re meant to be used/interpreted.

This sounds worse than it actually is - most of the time it’s pretty obvious if a password is meant to be viewed as plain-text.

This notwithstanding, the examiner should have an awareness as to what’s going on in the background particularly as plain-text passwords are usually encoded as UTF-8, the current implementation of which can use up-to 4-bytes to encode non-ASCII characters.

Locating and Viewing a User’s Keychain

The user of a Mac OS X system will be allocated a login keychain when their account is created. The location of this keychain will be as follows –


In this case the tilde (~) character represents the user’s home folder, which will normally be located in the following path –


The following screenshot shows the login keychain for a user called dale as contained within the installation of a Mac OS X 10.9 Mavericks Developer Preview (2) operating system –

Figure 1 - Viewing the login keychain for the Mac OS X Mavericks user dale

As we can see, a keychain file has a kych file-signature. Quite a lot of plain-text content is visible because it’s only password and key-data that is encrypted. We can, for instance, see a reference to a (fictitious) eBay account for dbcooper -

Figure 2 - Viewing a reference to an eBay account in the login keychain for the Mac OS X Mavericks user dale

So what are the options for viewing the contents of a user’s login keychain such as this one?

Well, first-off it’s important to understand that keychains are quite secure: they use triple-DES encryption and there are no backdoors. Products such as Passware can perform a brute-force attack of a user’s login keychain but it’s a slow process – we’re much better-off if we have access to the keychain password, which is set to the user’s login password by default. Note that the user is not obliged to keep the status quo – he/she can use the Mac OS X Keychain Access program to set a different password for their keychain.

In our case, viewing the /Library/Preferences/com.apple.loginwindow.plist file using the Plist Viewer EnScript plugin for EnCase V7 (freely available from EnCase App Central) reveals that the user dale is set to automatically log-in to the operating system -

Figure 3 - Viewing the com.apple.loginwindow.plist file

For the purposes of our example we’re reading the auto-login information directly to show where it’s located. In normal circumstances it would be read for us by the EnCase V7 Mac OS X Evidence Processor module.

We can now use the fact that the password for a user who is set to automatically log-in is stored in the following file –


The password is protected by a simple XOR encryption and is easy to decrypt using a small EnScript called the Mac OS X AutoLogin Password Decoder. This will be available via EnCase App Central shortly; if you have a Guidance Software Support Portal account then you can download it from here.

Figure 4 – Parsing the /private/etc/kcpassword file

The Mac OS X AutoLogin Password Decoder EnScript parses every kcpassword file in the current case that has the aforementioned path.

It doesn’t take long for the script to decode the auto-login password for the user dale

Figure 5 – Viewing the recovered auto-login password for the user dale

As we can see from the above screenshot, the auto-login password for the user dale is TheBlackLodge. So assuming that this is the login keychain password for dale, we now need to choose the best way to view the contents of the keychain itself.

Unfortunately, at the time of writing this, we can’t read keychains using EnCase.

Thankfully, however, there are many other options available to us.

One option is to extract the login keychain file to another Mac, double-click on it to load the file into the Keychain Access program and then enter the user-password when needed.

Another option is to use a command-line utility in Mac OS X called security. The command security dump-keychain can be used with some additional parameters to dump the contents of a keychain to the terminal window or a file.

The main downside to these two options is that they require another Mac so what else can we use?

We’ve already mentioned one option, which is Passware. This is an excellent product but it’s not free: if you don’t already have it you will have to pay for it.

The option that we’re going to take is to use an application called dumpkeychain, which is freely available from EnCase App Central. Please note that the version shown in this article (V3.1) is slightly newer than that currently available on the EnCase App Central store but the new version will be made available shortly; it is also available here if you have a Guidance Software Support Portal account.

The dumpkeychain application works at the Windows command-line. It performs much the same as many other options that we could use but it has a particular strength, which we shall see shortly.

Running the program from the command-line without any parameters will generate some help.

Figure 5 – Viewing the help for dumpkeychain

The command-line that we need to use for a user’s login keychain is as follows –

dumpkeychain -u <user_keychain> <password> <output_file>

Before we can do this we need to extract the keychain for dale into our current case’s export folder -

We can now execute the following command-line –

dumpkeychain -u login.keychain TheBlackLodge data.txt

It’s important to note that the parameters for this command must be in the order shown here. Any parameter containing spaces, or an empty password, must be enclosed in double-quotes.

When we run this command it dumps 12 records –

Figure 5 – Decrypting the contents of a user’s login keychain using dumpkeychain

When we open the resultant file in a text editor we see some passwords represented as hex because they contain at least one non-ASCII character. That said, we see a number of other passwords that are clearly in plain-text format –

Figure 5 – Decrypting the contents of a user’s login keychain using dumpkeychain
One entry of particular note is that named ‘Shopping’. This is one example of a secure note, which is essentially an RTFD document. RTFD is a file-format capable of storing inline pictures.

In this case the text of the note is, as the name suggests, a shopping list –
  • Coffee
  • Cherry pie
  • New voice memo recorder
So having demonstrated dumpkeychain with a user’s login keychain, let’s look at its real strength – decrypting system keychains.

Locating and Viewing the System Keychain for Mac OS X

The Mac OS X system keychain is stored in the following location –


Figure 5 – Viewing the location of the system keychain

The system keychain stores credentials that can be used by any user of the system albeit on an indirect basis only – a standard user cannot view the credentials directly.

The most obvious example of credentials stored in the system keychain is Wi-Fi passwords.

Utilities to view the system keychain are more difficult to come across than user keychains because of one key difference – the system keychain is not protected by a password, it is protected by the following file to which there is restricted access –


Figure 5 – Viewing the location of the the SystemKey file

The dumpkeychain utility is able to use the SystemKey file to decrypt the contents of the system keychain.

In order to do that we need to extract the System.keychain and SystemKey files into our current case’s export folder; we can then run the following command -

dumpkeychain -s System.keychain SystemKey system_data.txt
When we do that the dumpkeychain utility extracts five records -

Figure 5 – Decrypting the system keychain

We view the output file in a text viewer as before –

Figure 5 – Viewing the credentials from the decrypted system keychain

As we can, see four Wi-Fi passwords and the Mac OS X guest account password have been recovered successfully.

Please note that, for illustrative purposes, the Wi-Fi passwords were added manually. This explains why some of the timestamps are in close proximity to one another.


Mac OS X user login keychains provide a secure storage mechanism for sensitive data but examining the contents of a user’s keychain is quite straightforward if the password is available.

The Mac OS X system keychain provides a secure mechanism for the indirect sharing of credentials amongst all users of the system. Dumping this information is relatively easy provided that the associated SystemKey file is available.

Both keychains are likely to contain information of value to a forensic investigator and consideration should be given to extracting their contents as a matter of course.

Simon Key
Course Developer / Instructor III
Guidance Software Inc.
28th June, 2013

E-Mail: simon.key@encase.com
Twitter: @SimonDCKey

No comments :

Post a Comment