? ____UNDERSTANDING MAC .KEYCHAIN FILE____ ?
I have a difficult task of unlocking a .keychain file.
I think this would be of great value to our forensic community!
Let's work on a result, hm?
I've worked with ROOT access to acquire user hash, however the .keychain file uses some kind of shadow file, or other, in which the hash can be extracted.
I have used Crowbar on .keychain, but the dictionary will take… hm.. years.
Our question concerning the mac .keychain file is this
How on earth do you locate it's shadow file/hash, or extract the HASH from the .keychain file itself? IF we can understand how to do this, then applying JTR or rainbow tables to that hash (if unsalted) will be a savior of our time.
I am a new member to this site, and hope that this is a beginning to many discoveries for FA. Any information would be very much appreciated!
Thanks
I think I understand your question, sorry if not - The .keychain files cannot be cracked using the normal password cracking programs. There is a method to view their contents though.
You will need to first crack the specific user's login password from the private/var/db/shadow/hash directory. The hash file is named after the specific user account's GUID number. Drop this in PRTK or similar program to crack. Once you have that, the only way (as far as I know) to access the user's .keychain file is by exporting the .keychain file and opening it using the keychain utility in the native OS X environment. It will prompt you for their keychain password, which will be the user's login password cracked earlier. You can also open the system.keychain file using this same utility.
Hope this helps.
Thanks vootz for your attempt to answer. I am surprised, however, that this forensic community cannot contribute more information on this. It is, needless to say, an important feature in password encryption.
Let me clarify, what you suggested is to uncloak the hash for a given USER LOGIN, assuming that password would be the same as their Keychain. This is not the case here - the password is different.
All Keychains are stored under the USER/library/keychains list. There is a program, actually, which utilizes wordlists to attack the login entry. This is called CrowbarKC. Useful utility if the password is a more common one. However, you can spend literally years trying this against a 6+ character password. So i'm suggesting extracting the SHA-1 HASH from the .keychain file itself and apply either JTR or Rainbow Tables (if unsalted).
In any case, thanks vootz for your input!
RIDDLE REMAINS UNSOLVED.
OSX System keychain forensic analysis
http//
there are 2 keychains on OSX, a system wide keychain and a per user keychain
as vootz says, the macOS X user keychain is encrypted using a key that is derived from the user account credentials.
The best bet is to figure out the password for the user account for which you want to inspect the keychain.
once you have that, there are a bunch of tools, both commercial and free that can be used to explore the keychain
here is one for example
https://
the other one is elcomsoft password digger
also a good reference is here
http//
I've tried to use Passware to crack a password before (unsuccessfully because the password was very long, but thankfully saved elsewhere).
Ive found that there is the possibility of creating multiple keychains, but the "login.keychain" for the user is the one to try get into. and that's locked with the users login password, which hopefully they give you if you ask nicely. if they dont then cracking is the option.
Once given the password, Passware was able to confirm that the password was correct.
I then used the Keychain Manager on OS X to view the passwords.
You can also use the security app through the os x commandline.
I wrote a small perl script
Alternatively, Simon Key at Guidance has a Windows commandline tool to unlock keychains (again given the password) that you can get from Guidances App Central.
Alternatively, Simon Key at Guidance has a Windows commandline tool to unlock keychains (again given the password) that you can get from Guidances App Central.
Both EnCase 7 and EnCase 8 have the functionality included to mount the login.keychain, given the user login password.
On the login.keychain, you can right click to view the file structure and enter the users login password.
Also the System.keychain can be mounted in EnCase 7 and 8. It will require extracting the SystemKey from /private/var/db/ , and providing when prompted.