Apple Keychain Parsing in Cellebrite Inspector
Keychains are encrypted containers used on macOS and iOS devices to store usernames and passwords, as well as confidential information such as credit card numbers and bank account personal identification numbers. Cellebrite Inspector 2020 R1 is able to parse information from keychain files, which are identified by file extension (.keychain and .keychain.db).
New Processing Capabilities within Cellebrite Inspector 2020 R1
Keychain files are processed under the “Extract Data” processing option, which is available when running basic triage-level processing. Unless you enter a password, Inspector will not parse keychains. Without a password to open locked keychains, data will still be parsed from the keychain, you just won’t see the protected value for the stored data.
Typically, system keychain files are the only keychains that can be unlocked without a password. A user’s login password is used to unlock the user’s login.keychain file. If you know the user’s password or have some guesses you would like to try, the “Manage Passwords…” button in the “Add Evidence” window is the place to start.
Clicking on “Manage Passwords…” brings up a Passwords window where you can type in any known or possible passwords. You can also import a password list text file here. While it is possible to import a large password list, it is not recommended to use this feature as a dictionary attack. Please note the passwords added must be UTF-8 encoded, and password lists added should have one password per line.
Note: Keychain processing only occurs during initial evidence ingestion.
Once processing is complete, parsed keychain data can be found in the “Apple Keychain” section of the ‘Passwords subview in “Actionable Intel.”
So, let’s look at the results of a Keychain analysis where the image was processed without entering any passwords, and then the results where the image was processed with the user’s login password.
Keychains contain various types of entries. Passwords associated with any locked disk image files (dmgs) the user has created or opened can be found in a user’s login keycahin. In order to show the difference between a parsed, locked keychain (no password) and a parsed, unlocked keychain (password provided), the examples shown below will filter keychain entries for stored disk image passwords.
No Password at Ingestion
Using the file filter feature in ‘Actionable Intel’ keychain entries with a name containing ‘dmg’ from login.keychain-db files (specified by using a File Name contains -db filter) returned six entries. Inspector parsed the entries contained in the keychain with the exception of the Value field where the password is stored.
User’s Login Password Entered at Ingestion
In a new case file, the same evidence file was ingested. This time the user’s login password was entered via the ‘Manage Passwords…’ button in the Add Evidence window.
Below you can see the data parsed by Inspector from the login.keychain-db file. The password entered opened the keychain, and the passwords for all six disk images are displayed.
Things to Consider
It is critical to remember that keychains will only be processed during initial evidence ingestion. If you do not enter any passwords, or the correct password is not entered, the values stored in locked keychains will not be parsed.
If you do not know the user’s login password, there may be clues in other areas of ‘Actionable Intel’ to help. For instance, if the user account is set to auto login, the password will be parsed in the ‘User Accounts’ subview of ‘Account Usage’ in ‘Actionable Intel.’
The System keychain in macOS is not locked and can contain passwords to Wi-Fi networks and Time Machine. Since many people re-use passwords, creating a password list from the values stored in the System keychain is a good place to start.
As data is encountered during your analysis, you may decide you would like to attempt to unlock keychains that were not unlocked during initial processing. You have a couple of options for doing this.
Another option is to create a new case file, choose only the triage-level-processing options (this takes the least amount of time to run), enter the passwords you’ve located via ‘Manage Passwords’, and reprocess the evidence.
Your other option is to use the Inspector File Filter to filter the evidence for files with an extension containing the keychain. Both .keychain and .keychain files are returned. Select all the files and export them to a logical evidence file (.L01).
The logical evidence file can then be processed instead of the entire image file. This approach will save time if you make multiple attempts to unlock the keychains with different password lists.
Learn more about Cellebrite Inspector.