Apple Keychain Parsing in BlackLight
by Stephanie Thompson, Solutions Engineer
Keychains are encrypted containers used on macOS and iOS devices to store usernames and passwords, as well as confidential information such as credit card numbers and bank account personal identification numbers. BlackLight 2020 R1 is able to parse information from keychain files, identified by file extension (.keychain and .keychain.db).
New Processing Capabilities within BlackLight 2020 R1
Keychain files are processed under the ‘Extract Data’ processing option, which is available when running the basic triage level processing. Unless you enter a password, BlackLight to parse the keychains without a password. Without a password to open locked keychains, data will still be parsed from the keychain, you just won’t see the protect value for the stored data.
Typically, System keychain files are the only keychains that can be unlocked without a password. A user’s login password is used to unlock the user’s login.keychain file. If you know the user’s password, or have some guesses you would like to try, the ‘Manage Passwords…’ button in the Add Evidence window.
Clicking on ‘Manage Passwords…’ brings up a Passwords window where you can type in any known or possible passwords, or you can import a password list text file. While it is possible to import a large password list, it is not recommended to use this feature as a dictionary attack. Please note the passwords added must be UTF-8 encoded, and password lists added should have one password per line.
Note: Keychain processing ONLY occurs during initial evidence ingestion.
Once processing is complete, parsed keychain data can be found in the ‘Apple Keychain section of the ‘Passwords subview in ‘Actionable Intel.’ So, let’s look at the results of Keychain analysis where the image was processed without entering any passwords, and then the results where the image was processed with the user’s login password.
Keychains contain various types of entries. Something that can be found in a user’s login keychain are passwords associated with any locked disk image files (dmgs) the user has created or opened. In order to show the difference between a parsed locked keychain (no password) and a parsed unlocked keychain (password provided) the examples shown below will filter keychain entries for stored disk image passwords.
No Password at Ingestion
Using the file filter feature in ‘Actionable Intel’ keychain entries with a name containing ‘dmg’ from login.keychain-db files (specified by using a File Name contains -db filter) returns six entries. BlackLight parsed the entries contained in the keychain with the exception of the Value field where the password is stored.
User’s Login Password Entered at Ingestion
In a new case file, the same evidence file was ingested. This time the user’s login password was entered vis the ‘Manage Passwords…’ button in the Add Evidence window. Below you can see the data parsed by BlackLight from the login.keychain-db file. The password entered opened the keychain, and the passwords for all six disk images are displayed.
Things to Consider
It is critical to remember that keychains will only be process during initial evidence ingestion. If you do not enter any passwords, or the correct password is not entered, the values stored in locked keychains will not be parsed.
If you do not know the user’s login password, there may be clues in other areas of ‘Actionable Intel’ to help. For instance, if the user account is set to auto login, the password will be parsed in the ‘User Accounts’ subview of ‘Account Usage’ in ‘Actionable Intel.’
The System keychain in macOS is not locked and can contain passwords Wi-Fi networks and Time Machine. Since many people re-use passwords, creating a password list from the values stored in the System keychain is a good place to start.
As data is encountered during your analysis, you may decide you would like to attempt to unlock keychains that were not unlocked during initial processing. You have a couple options for doing this.
Another option is to create a new case file, choose only the triage level processing options (this take the least amount of time to run), enter the passwords you’ve located via ‘Manage Passwords’ and reprocess the evidence.
Your other option is to use BlackLight’ File Filter to filter the evidence for files with an extension containing keychain. Both .keychain and .keychain files are returned. Select all the files and export them to a logical evidence file (.L01).
The logical evidence file can then be processed instead of the entire image file. This approach will save time if you make multiple attempts to unlock the keychains with different password lists. To learn more about BlackLight, request a quote or get a free trial, click here.