Encrypted devices already present a huge challenge for forensic vendors. As application security increases with applications like WickrMe, Signal, and Snapchat encrypting their databases, the challenge to overcome encryption and decode content will continue to grow. In this blog, we will review what the iOS Keychain is, how to obtain it, and how the forensic tool should leverage it to aid in the decryption of secure applications.

What Is iOS Keychain And How Can You Obtain It?

“Keychain” is a password management system designed by Apple to protect sensitive user data information. It is a convenient feature that stores account credentials, passwords, and credit card numbers. Different applications may also utilize Keychain to store encryption keys or sensitive certificates.

Since the Keychain file is protected by Apple, it is not enough to simply pull the entire filesystem (with SSH, for example). To access the data you will need to perform a full-file-system extraction using an on-device agent that can support a dedicated Keychain extraction for the target exhibit. (To fully understand what iOS Keychain is, I suggest you read this blog by Oleg Afonin from Elcomsoft.)

A full-file-system extraction provides much more data than a logical extraction. This includes critical data such as full e-mails, 3rd-party app data, passwords, keys, and tokens stored in Keychain.

Full file system extraction can be obtained via Cellebrite Premium, our Advanced Services, or UFED. The ability to obtain the full file system and the keychain with UFED is due to the successful integration of the checkm8 exploit and mainly depending on the device model.

How To Use The Keychain

As always, our goal at Cellebrite is to make your life easier and simplify the examination process. This is why Cellebrite Physical Analyzer (PA) automatically uses the Keychain file located in the UFED extraction folder. Simply double-click on the “.UFD” file and it will automatically launch PA to begin the decoding stage.

What If I Performed The Extraction Using Another Tool?

If you acquired full-file-system extraction from any other tool and you wish to process the dump file together with the Keychain, simply choose “Open Advanced” and choose the “iOS File System / Backup / GrayKey” option. Import the dump and the Keychain in the right place.

How Can Keychain Help Me In My Investigation?

As mentioned before, the Keychain file stores passwords of applications. Physical Analyzer automatically scans the Keychain file to retrieve the relevant passwords according to the installed applications on the device and can automatically link the relevant application to its password. The entire decryption process is automatic, doesn’t require any user interaction, and the output yields decrypted application data that can be quickly examined.

No Keychain                                     With Keychain

*Josh Hickman’s iOS checkm8 image

At Cellebrite, our goal is to save you crucial time and automate as many processes as possible so you can focus on the tasks that matter without wasting time.

Resources

[1] Josh Hickman’s iOS Image – https://thebinaryhick.blog/

Share this post