Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
As you know, OS X Keychain system consists of three files: system keychain (/Library/Keychain/System.keychain), user keychain (~/Library/Keychain/login.keychain) and iCloud keychain (~/Library/Keychains/<PlatformUUID>/keychain-db2.db). Today we are going to talk about the first one – system keychain.
The most interesting forensic artifacts from this keychain are Wi-Fi SSIDs and keys – these can help an examiner to determine first connection time and last key modification time on wireless access point. Of course, the data in System.keychain is encrypted, but there are some tools, both commercial and open source, capable of decrypting it. One of them is Chainbreaker developed by n0fate Forensic Lab.
You can use it both on OS X and Windows workstation. Both versions are available here. To decrypt system keychain with Chainbreaker, we’ll need the master key. Where can an examiner get it? The answer is – SystemKey file. You can find it in /private/var/db. The key isn’t encrypted. All you need is copy and paste 24 bytes master key – it’s a 24byte DES key(192 bits):
Figure 1. The master key (highlighted)
Now we’ve got all we need to decrypt system keychain with Chainbreaker. Start the app (we use OS X version), right-click Keychains pane and choose Add New Keychain File. Now System.keychain is added. Go to hex-editor of your choice and copy the master key from the SystemKey. Click Is the master key? and paste the key. Click Analysis to run decryption process:
Figure 2. System keychain decryption process
When the process is finished, you will see the results in Tables pane:
As you can see, we got 48 records about wireless access points the user was connected to, including timestamps, of course.
Igor Mikhaylov
Interests: Computer, Cell Phone & Chip-Off Forensics
Oleg Skulkin
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
Speak to a Specialist Now
Get Help Now