Join Us!

restore original lo...
 
Notifications
Clear all

restore original logon password on Apple Mac  

  RSS
InThought
(@inthought)
New Member

Being a novice there's little to explain, other than in working with my late uncle's computer, which I was asked to assist by the executor of the estate, I reset the logon password and immediately realized it has caused a problem with Keychain. It is important to read the keychain information which puts attention to finding the original logon information.

Other than resetting the logon password, I chose to not change or delete the keychain information. so the mac immediately asks for the keychain password as soon as I log in.

How can I restore roll the original password? I reached out to a forensics team and was quoted $1,500 and a month's wait for the results, over $4000 for a 15-day wait in results. I've looked at several packages which are not cheap including The Sleuth autopsy. BlackLight, and helix3. My windows background doesn't do me well in arena.

Thank you in advance

Quote
Posted : 24/10/2019 3:35 pm
jaclaz
(@jaclaz)
Community Legend

I am not sure to understand the problem ?

https://support.apple.com/en-us/HT201609

Do you actually know now the old password?

Or you cannot create a new keychain?

jaclaz

ReplyQuote
Posted : 24/10/2019 4:24 pm
dandaman_24
(@dandaman_24)
Active Member

I too don't fully understand your post.

But I'll have a go at semi answering it.

If you have changed the user login password, login, open internet browser that the person used, and navigate to settings - passwords or there about. Web browser passwords possibly stored there.

From these passwords you may be able to use them to input to the keychain password box.

ReplyQuote
Posted : 24/10/2019 8:05 pm
InThought
(@inthought)
New Member

Thank for the replies. To clarify, My late uncle didn't leave instructions or password information for his Mac Pro. In order to logon to the computer, I reset the logon password. A second message pops up asking 'what to do about key chain password' leave it as is, create a new one, etc. I do not want to create a new key chain or affect the original key chain because of the value it stores from my late Uncle's internet activity, etc. This is important to recovering what can be recovered for the estate.

A second issue is key chain is relentless in requesting the password. Keychain is managing several difference applications including Safari and mail, running on the Mac. It will not allow the apps to process my request (ie go to internet) until key chain receives the password. Keychain is also not allowing me to go into the web browser password, though that is a good idea.

Is there a software that will read secure areas of a Mac and/or decrypt the encryption used without paying a fortune to purchase it?

ReplyQuote
Posted : 24/10/2019 11:05 pm
hommy0
(@hommy0)
Member

So what your asking is, can the login keychain be broken by (basically) free software… Apple hold the login keychain in high esteem with good security, albeit it can be open by another Mac if you know the login password… other forensic type software can open it, but a license fee is likely to be payable!!

As I understand it part of the encryption mechanism of the login keychain is the user login password. There are different protection mechanisms for the system and iCloud Keychain.

Did you reset the actual user password or create a new user account?

How did you change the login password?

Normally (albeit it can be different) if you change the user password that would be propagated and adjust the login keychain password…

Also what is your goal here re keychain?

Also why is not being able to use the internet an issue? Maybe install Chrome…

What is the aim of your question/access to the Mac and keychain, I am as I’m sure others are, confused?

ReplyQuote
Posted : 24/10/2019 11:32 pm
InThought
(@inthought)
New Member

Needless to say, this is not my strong suit! There are bills my uncle paid hopefully over the internet, bank accounts left untouched with his passing, information regarding the home which has been in the family before my grandmother passed it on to my uncle in the '60s. Some of my young puberty years bring back fond memories of this house.

Key chain holds the key to most of our concern. Where my uncle did business, the passwords, etc.

Saying "free …" oversimplifies my original statement. Money is available for services rendered, whether in the form of software purchased or through a forensic specialist. If a few dollars can be saved… all the better! I would do the breaking of Key chain myself, if I knew what software to invest in and some steps to applying it to this particular situation. I've studied for my CISSP, received my CISM, and wasn't really happy with the environment. Too stressful! Now retired, this may be my intro to forensics and a second income with certifications completed.

It shouldn't take a rocket scientist to run the right software for the right job. Knowing what that "right" software is is part of my request. If someone has a better idea, I am open to suggestions!

ReplyQuote
Posted : 25/10/2019 12:02 am
jaclaz
(@jaclaz)
Community Legend

OK, so basically you want to find what the original password for the old keychain was, i.e. something like this thingy here
https://github.com/macmade/KeychainCracker

but - even if it works on the specific MacOS you have - if you have not any hint about what the password was, it will likely take forever.

Elcomsoft does have a Commercial bruteforce software that among other things also can do keychain passwords

https://www.elcomsoft.com/edpr.html

though, even you have or can have the specific hardware (NVIDIA GPU's) to make it faster it will also probably be painfully slow.

Also - more or less - the results of these tools tend to be greatly influenced by their settings, so the risk is that you go for certain "wrong" (due to either lack of familiarity with the tool or wrong assumptions) settings, the thingy chums away for several days/weeks and ends with an error or without a result

In any case your first, needed next step is to make a forensic sound image of the Mac "as is".

About the quotes you got, they don't seem at first sight outrageous, the point is more about whether the recovery is "guaranteed" or if you pay 1500 or 4000 bucks and after a few weeks the "forensic team" can come up with a "sorry, it was not possible to retrieve the password, at least we tried", possibly also giving back to you a fiddled with Mac (hence the need for a forensic sound image and only giving away copies of that).

jaclaz

ReplyQuote
Posted : 25/10/2019 10:07 am
InThought
(@inthought)
New Member

You've touched on a couple of my concerns… is my money going to work for me or am I throwing it out the door? Maximizing my chance of success is key! I appreciate the suggestions.

I used Carbon Copy Cloner to image the drive to an external. I'll do some research on the two products and give cudos if and/or when the task is accomplished.

Thanks again!

ReplyQuote
Posted : 25/10/2019 1:48 pm
randomaccess
(@randomaccess)
Active Member

General process would be to generate a word list based on strings from the computer. (index it in a forensic tool and then extract that to a file)

Review emails for passwords sent by websites. There might be a theme

Review password storage locations in browsers, you may get lucky but they're probably in the keychain. So square 1

Elcomsoft and passware both have tools but you're left to brute forcing (hopefully based on your strings output) and then if comes down to luck. There's no guarantees way that I know of to bypass the encryption apple uses on their keychain. Dictionary and brute force is pretty much it.

ReplyQuote
Posted : 26/10/2019 9:06 am
InThought
(@inthought)
New Member

Thanks, I'm leaning towards Elcomsof and have years of data to pull together a list

ReplyQuote
Posted : 26/10/2019 4:19 pm
Share: