IntroductionTo forensic examiners with little or no knowledge of Mac OS X, the concept of a Mac OS X keychain may be an alien one. This article aims to provide an overview of the following with regards to Mac OS X keychains –
- Options for examination
What Are Mac OS X Keychains?The Mac OS X Developer web-site has this to say with regards to keychains –
Keychain Services provides secure storage of passwords, keys, certificates, and notes for one or more users. A user can unlock a keychain with a single password, and any Keychain Services–aware application can then use that keychain to store and retrieve passwords.
From a layman’s perspective, a keychain is simply a type of file designed for the storage of security-sensitive data.
Apple designed keychains with the intent that they would act as a central repository for such data and, as a result, created an application programming interface (API) allowing developers to leverage the functionality provided by Keychain Services.
So, to put it another way, Apple encourages application developers to store security-sensitive information in a user’s keychain rather than creating their own mechanism for this purpose. This allows for a consistent approach, one that stores sensitive data in a central location that will benefit the user in a number of ways including the backing-up of such data and the transferal of it to other Apple devices.
One thing worth noting before we go any further is that the use of keychains isn’t restricted to users. As already mentioned above, the Mac OS X system has its own keychain, which may contain additional information of value to the forensic examiner. We will examine an example of this type of keychain later in this article.
What Information Am I Likely To Find of Interest Within a Keychain?The following is a list of items commonly stored in keychains that are likely to be of interest to the forensic examiner –
- Web-site passwords stored by Safari.
- Network passwords.
- The password used to store encrypted form values entered via Safari (this is subject of a separate article by my colleague, James Habben).
- Application passwords.
- Wi-Fi passwords.
- Encrypted disk image passwords/encryption-keys.
- Secure notes.
- Encryption keys / certificates.
What is a Password in the Context of a Mac OS X Keychain?It’s important to be clear on exactly what is meant by a password/passphrase when dealing with Mac OS X keychains.
Typing the term ‘define:password’ into Google results in the following explanations –
- A secret word or phrase that must be used to gain admission to something.
- A string of characters that allows access to a computer, interface, or system.
That said, from a programmatic point of view, a password contained in a keychain is an encrypted array of bytes. It may be intended for these bytes to be interpreted as text but that’s not guaranteed to be the case.
This can make life a little tricky when reading application passwords because only the developer that put them there can say with any authority exactly how they’re meant to be used/interpreted.
This sounds worse than it actually is - most of the time it’s pretty obvious if a password is meant to be viewed as plain-text.
This notwithstanding, the examiner should have an awareness as to what’s going on in the background particularly as plain-text passwords are usually encoded as UTF-8, the current implementation of which can use up-to 4-bytes to encode non-ASCII characters.
Locating and Viewing a User’s KeychainThe user of a Mac OS X system will be allocated a login keychain when their account is created. The location of this keychain will be as follows –
In this case the tilde (~) character represents the user’s home folder, which will normally be located in the following path –
The following screenshot shows the login keychain for a user called dale as contained within the installation of a Mac OS X 10.9 Mavericks Developer Preview (2) operating system –
As we can see, a keychain file has a kych file-signature. Quite a lot of plain-text content is visible because it’s only password and key-data that is encrypted. We can, for instance, see a reference to a (fictitious) eBay account for dbcooper -
So what are the options for viewing the contents of a user’s login keychain such as this one?
Well, first-off it’s important to understand that keychains are quite secure: they use triple-DES encryption and there are no backdoors. Products such as Passware can perform a brute-force attack of a user’s login keychain but it’s a slow process – we’re much better-off if we have access to the keychain password, which is set to the user’s login password by default. Note that the user is not obliged to keep the status quo – he/she can use the Mac OS X Keychain Access program to set a different password for their keychain.
In our case, viewing the /Library/Preferences/com.apple.loginwindow.plist file using the Plist Viewer EnScript plugin for EnCase V7 (freely available from EnCase App Central) reveals that the user dale is set to automatically log-in to the operating system -
For the purposes of our example we’re reading the auto-login information directly to show where it’s located. In normal circumstances it would be read for us by the EnCase V7 Mac OS X Evidence Processor module.
We can now use the fact that the password for a user who is set to automatically log-in is stored in the following file –
The password is protected by a simple XOR encryption and is easy to decrypt using a small EnScript called the Mac OS X AutoLogin Password Decoder. This will be available via EnCase App Central shortly; if you have a Guidance Software Support Portal account then you can download it from here.
The Mac OS X AutoLogin Password Decoder EnScript parses every kcpassword file in the current case that has the aforementioned path.
It doesn’t take long for the script to decode the auto-login password for the user dale –
As we can see from the above screenshot, the auto-login password for the user dale is TheBlackLodge. So assuming that this is the login keychain password for dale, we now need to choose the best way to view the contents of the keychain itself.
Unfortunately, at the time of writing this, we can’t read keychains using EnCase.
Thankfully, however, there are many other options available to us.
One option is to extract the login keychain file to another Mac, double-click on it to load the file into the Keychain Access program and then enter the user-password when needed.
Another option is to use a command-line utility in Mac OS X called security. The command security dump-keychain can be used with some additional parameters to dump the contents of a keychain to the terminal window or a file.
The main downside to these two options is that they require another Mac so what else can we use?
We’ve already mentioned one option, which is Passware. This is an excellent product but it’s not free: if you don’t already have it you will have to pay for it.
The option that we’re going to take is to use an application called dumpkeychain, which is freely available from EnCase App Central. Please note that the version shown in this article (V3.1) is slightly newer than that currently available on the EnCase App Central store but the new version will be made available shortly; it is also available here if you have a Guidance Software Support Portal account.
The dumpkeychain application works at the Windows command-line. It performs much the same as many other options that we could use but it has a particular strength, which we shall see shortly.
Running the program from the command-line without any parameters will generate some help.
The command-line that we need to use for a user’s login keychain is as follows –
dumpkeychain -u <user_keychain> <password> <output_file>
Before we can do this we need to extract the keychain for dale into our current case’s export folder -
We can now execute the following command-line –
dumpkeychain -u login.keychain TheBlackLodge data.txt
It’s important to note that the parameters for this command must be in the order shown here. Any parameter containing spaces, or an empty password, must be enclosed in double-quotes.
When we run this command it dumps 12 records –
When we open the resultant file in a text editor we see some passwords represented as hex because they contain at least one non-ASCII character. That said, we see a number of other passwords that are clearly in plain-text format –
In this case the text of the note is, as the name suggests, a shopping list –
- Cherry pie
- New voice memo recorder
Locating and Viewing the System Keychain for Mac OS X
The Mac OS X system keychain is stored in the following location –
The system keychain stores credentials that can be used by any user of the system albeit on an indirect basis only – a standard user cannot view the credentials directly.
The most obvious example of credentials stored in the system keychain is Wi-Fi passwords.
Utilities to view the system keychain are more difficult to come across than user keychains because of one key difference – the system keychain is not protected by a password, it is protected by the following file to which there is restricted access –
The dumpkeychain utility is able to use the SystemKey file to decrypt the contents of the system keychain.
In order to do that we need to extract the System.keychain and SystemKey files into our current case’s export folder; we can then run the following command -
dumpkeychain -s System.keychain SystemKey system_data.txtWhen we do that the dumpkeychain utility extracts five records -
We view the output file in a text viewer as before –
As we can, see four Wi-Fi passwords and the Mac OS X guest account password have been recovered successfully.
Please note that, for illustrative purposes, the Wi-Fi passwords were added manually. This explains why some of the timestamps are in close proximity to one another.
Mac OS X user login keychains provide a secure storage mechanism for sensitive data but examining the contents of a user’s keychain is quite straightforward if the password is available.
The Mac OS X system keychain provides a secure mechanism for the indirect sharing of credentials amongst all users of the system. Dumping this information is relatively easy provided that the associated SystemKey file is available.
Both keychains are likely to contain information of value to a forensic investigator and consideration should be given to extracting their contents as a matter of course.
Course Developer / Instructor III
Guidance Software Inc.
28th June, 2013