Obtaining keychain files

<< Click to Display Table of Contents >>

Navigation:  Программы для работы с системой и восстановления данных > Elcomsoft Password Digger > Program information >

Obtaining keychain files

In order to decrypt the keychain with EPD, the first thing you’ll need is the keychain itself. In Mac OS, keychain is stored in several physical files. Yet another file holds the decryption key for the system keychain. You’ll need all of these in order to gain full access to encrypted information.

 

If you’re acquiring keychain files from a live Mac OS X system, do the following.

 

Make a new folder on the desktop (e.g. “KEYCHAINS”)

 

Open Terminal and issue the following command
 
cd Desktop/KEYCHAINS
 

Copy the following files into the current folder ( “KEYCHAINS”):
 
cp /Users/<username>/Library/Keychains/login.keychain-db .
cp /Library/Keychains/System.keychain .
sudo cp /private/var/db/SystemKey .
 

User's keychain name is "login.keychain-db" on macOS X 10.12 and 10.13, and "login.keychain" on older versions of macOS.

 

Note that you need superuser access in order to extract SystemKey, a file that contains encryption metadata for decrypting system keychain. You’ll be prompted for a password.
 
Also note there is a final dot at the end of each “copy” command. This is not a formatting error; the dot means that the file is to be copied into the current folder (“KEYCHAINS” in our case).
 
<user name> is the name of the user who’s keychain you are about to extract (currently logged in user is displayed before the “$” sign).
 

Transfer the content of the “KEYCHAINS” folder to the Windows PC where you have EPD installed; you may be prompted to enter your Mac administrator's password again (because of special permissions set on SystemKey file).

 

If you have a disk image instead of the live system, extracting files is easier since you won’t need superuser access or admin password. Just mount the disk image and use your favorite file manager to copy the required files to your Windows computer.

 

Mounting the disk image is normally not a problem. If you’re dealing with a DMG image, Mac OS has built-in tools to mount it. If the disk image is in EnCase .E01 format, you’ll need to use third-party tools to mount the image, such as AccessData FTK Imager or GetData Forensic Imager.