Obtaining keychain files

<< Click to Display Table of Contents >>

Navigation:  System and Data Recovery Programs > Elcomsoft Password Digger > Program information >

Obtaining keychain files

In order to decrypt the keychain, the first thing you’ll need is the keychain itself. In macOS, the keychain is stored in several files. A separate file contains the decryption key for the system keychain. You’ll need all of these in order to gain full access to encrypted information.

 

If you’re acquiring keychain files from a live macOS system, do the following.

 

Create a new folder (e.g. “KEYCHAINS” on the desktop)

 

Open Terminal and issue the following command
 
cd Desktop/KEYCHAINS
 

Copy the following files into the current folder ( “KEYCHAINS”):
 
cp /Users/<username>/Library/Keychains/login.keychain .
cp /Library/Keychains/System.keychain .
sudo cp /private/var/db/SystemKey .
 

Notes:

 

You need superuser access in order to extract SystemKey, a file that contains encryption metadata for decrypting system keychain. You’ll be prompted for a password.

In macOS 10.12 and later, the keychain file name (in the first command) will be login.keychain-db

There is a final dot at the end of each “copy” command. This is not a formatting error; the dot means that the file is to be copied into the current folder (“KEYCHAINS” in our case).

<user name> is the name of the user who’s keychain you are about to extract (the currently logged in user is displayed before the “$” sign).
 

Transfer the content of the “KEYCHAINS” folder to the Windows PC where you have EPD installed; you may be prompted to enter your Mac administrator's password again (because of the special permissions set on the SystemKey file).

 

If you have a disk image instead of a live system, extracting files is easier since you won’t need superuser access or the admin password. Mount the disk image and use a file manager of your choice to copy the required files to your Windows computer.

 

Mounting the disk image is normally not a problem. If you’re dealing with a DMG image, macOS has built-in tools to mount it. If the disk image is in the EnCase .E01 format, you’ll need to use third-party tools to mount the image, such as AccessData FTK Imager or GetData Forensic Imager.