EnCase 7.09.04: Extracting Passwords from OS X Keychains

Ken Mizota

EnCase 7.09.04 is now available and contains several enhancements to make your investigations more efficient and comprehensive. Today’s digital investigators face a constant struggle to maintain comprehensive investigative skill sets, while continuously improving efficiency in the face of overwhelming growth of evidence and diversity of malfeasance. EnCase 7.09.04 makes reporting more efficient with the Flexible Reporting Template and reduces investigator effort by enabling decryption of McAfee Endpoint Encryption devices with the 64-bit EnCase Examiner. EnCase 7.09.04 expands on the strongest Windows-based investigation capabilities of OS X machines, adding the ability to decrypt and extract passwords from OS X keychains.

To gain access to this release register your dongle and you’ll receive a MyAccount email with download links.

In this article, I'll walk through the information that can be extracted from keychains and also provide sample EnScript-based techniques to expose this data in EnCase.

A little less than a year ago, Simon Key of the Guidance Software Training division published an informative blog post on decrypting OS X keychains. This post became quite popular as thousands of investigators absorbed the technique. Subsequently, the dumpkeychain app on EnCase App Central, which is used to parse and extract data from keychain files, became one of the most downloaded apps. If you haven't reviewed Simon's post in its entirety, I'll give you the abridged version:

When a user logs into an OS X machine, their credentials are stored in a secure manner and are protected by OS X. Whenever a website is logged into, or a wi-fi access point is connected to, or when an email server is logged into from a mail client, OS X commonly offers to store passwords for later use. These passwords are stored in keychain files, on a user-by-user basis or system-wide for the entire machine. Naturally, keychain files are protected with multiple levels of security, and are not easy to bring into light. They aren't easily accessible from OS X as a user, but they are accessible to EnCase. If an investigator has obtained the user's OS login credentials, it is a mechanical, repeatable process to access all of the stored passwords within a keychain.

Of course, there are standalone tools available that perform this task admirably. Notably, Passware Forensic has the ability to decrypt with proper credentials and also attack OS X keychain files if you do not have credentials. Passware has a really superb product, and Guidance strongly recommends it to all investigators. But, not all investigators have access to Passware licenses, and if you count yourself in that crowd: this post is for you.

As of 7.09.04, EnCase includes the ability to extract passwords from OS X user and system keychain files.

We can distill the process into a few steps:
  1. Parse and decrypt user/system keychains
  2. Extract and store secrets
  3. Use secrets to find more evidence, combat evil, fight for good, etc.
This screenshot depicts my user keychain on my MacBook Pro in a live preview in EnCase:



As of 7.09.04, EnCase does not provide a UI-driven interface to decrypt and parse this keychain, but we do have access through the EnScript API.

Learning EnScript is really beyond the scope of this post, but if you’re interested to learn more, Guidance Software Training offers the definitive course on EnScript programming, or if you’re a seasoned Dev, you can always sign up for the EnCase App Central Developer Network to get access to a no-cost EnCase Forensic SDK, code samples, developer documentation and more.

Here’s the important bits of EnScript code. The entire contents may be downloaded here.



Let’s start with Line 42: First, we want to iterate through all the items in our case. This is the most direct way to expose file system entries for inspection.

Once we’re in the for-loop, for the purposes of this sample, we want to identify a specific keychain file to parse. I happen to know the location of my user keychain from the TruePath identified in the first screenshot, so I’ve populated a variable “keychainTruePath” with this information.



On line 44, we instantiate a CredentialClass to facilitate storage of the secrets extracted from the keychain.

On line 45 to 46, we instantiate an EntryFileClass and populate it with the contents of the keychain file.

On line 47, we call a new method, “DumpMacKeyChain”, which accepts the EntryFileClass we just created, and a password parameter, a previously populated string variable.

The DumpMacKeyChain method decrypts the keychain and parses the secrets contained within, but they’re not yet accessible to a user for investigation. At this point, you could start printing out passwords to the Console, but we can do better than that.



Finally, on line 48, we make a call to a method AddToSecureStorage, which is defined in our sample script. AddToSecureStorage will create credential within the Secure Storage tab within your case, making it easy to review the extracted secrets. When populated, Secure Storage looks like this:



As you can see, there is a frightening amount of information stored in my keychain. It’s no joke: there are more passwords stored in a keychain than you know; that’s why you asked the keychain to remember them!. For example:
  • Lines 41 and 42 above represent a cached password to an internal Guidance Software server.
  • Lines 45 and 46 represent passwords stored by Safari (e.g. saved passwords to websites).
  • Lines 39 and 40 represent credentials to decrypt an encrypted DMG file “MyEncryptedStash.dmg”.




When we view the “Text” tab we see the decrypted secret in plain view. This is the password of the encrypted DMG. We can easily take this password, and decrypt and mount the DMG within our case. We locate the DMG, and perform a View File Structure on the entry:



Next, enter the password from Secure Storage.



This screenshot depicts the encrypted DMG, decrypted and mounted in EnCase, the data visible and brought into light.



While the decryption and extraction capability described in this post exists through the EnScript API today, we know that simpler access to this technology is even more efficient. Later this summer, we’re planning to make it even easier to use this powerful technology by:
  • Parse keychain files through the EnCase user interface, automatically populating Secure Storage with extracted secrets
  • Automatically decrypt files like DMGs, bundles and sparsebundles when passwords are located within Secure Storage
I hope this gives you some insight into one way we are working to enable EnCase to find more evidence, and make your investigations more efficient.

Please feel free to share feedback, questions, comments or concerns with me. I can be reached via email ken.mizota (at) guidancesoftware (dot) com or on Twitter @kenm_encase.

No comments :

Post a Comment