|
|
|
|
|
|
|
Elcomsoft Password Digger
Decrypt Mac OS Keychain
Elcomsoft Password Digger is a Windows tool for decrypting the content of system and user keychains pulled from a Mac OS computer. The tool exports the full data set into an XML file or builds a filtered dictionary for using with password recovery tools. The system and all user keychains can be decrypted.
Elcomsoft Password Digger enables access to highly sensitive information including Wi-Fi passwords, user’s Apple ID and iTunes passwords, Web site and email account passwords, as well as other sensitive information.
Using Elcomsoft Password Digger together with other ElcomSoft tools opens a way to download iCloud backups created by the user’s iPhone or iPad (via Elcomsoft Phone Breaker), and offers a better chance of breaking other passwords faster by generating a custom dictionary (via Elcomsoft Distributed Password Recovery).
Information Available in Mac OS X Keychain
Keychain was introduced with Mac OS 8.6 as means to provide secure storage for sensitive information. Mac OS X uses keychain to manage system-wide and user passwords. System passwords such passwords to Wi-Fi networks are stored in the system keychain, while pretty much everything else ends up in the user keychain.
Here’s an incomplete list of information can be extracted from Mac OS keychain.
System Keychain
Wi-Fi passwords
User Keychain
Apple ID password
Password to iTunes backups
AirPort and TimeCapsule passwords
Passwords to Web sites and accounts
VPN, RDP, FTP and SSH passwords
Passwords to mail accounts including Gmail and Microsoft Exchange
Passwords to network shares
iWork document passwords
Information stored in the keychain is securely encrypted. System keychain uses a decryption key stored in a file, while user keychains are typically encrypted with keys derived from users’ Mac OS account passwords.
Apple offers an in-house tool for viewing items stored in the keychain called Keychain Access. However, using Keychain Access for forensic purposes is slow and inconvenient as the Apple tool requires the user has to re-enter the password for viewing each individual record. Elcomsoft Password Digger can save hours by dumping information stored in the keychain into an XML file that can be loaded into a forensic tool for examination.
Extracting Mac OS Keychain
Elcomsoft Password Digger can extract, decrypt and export the content of the system and all user keychains. The tool dumps information from the keychain into a plain, decrypted XML file containing all records complete with all fields such as the URL, creation and last access time, login, password, and other relevant fields. The resulting XML file can be imported into any XML-enabled tool including a wide range of forensic products and many generic tools such as Microsoft Excel.
Requirements to Extract Keychain Data
In order to use Elcomsoft Password Digger, experts will need a Windows PC, keychain files extracted from Mac OS, as well as the user’s authentication information (Mac OS login and password or keychain password, if it’s different). For decrypting system keychains, the tool will require a decryption key that must be extracted from the Mac OS computer (administrative privileges are required to extract the file from a live system).
System Keychain
Keychain file extracted from the user’s Mac OS system
Decryption key from the same system [1]
User Keychain
Keychain file extracted from the user’s Mac OS system
User’s local login password or keychain password (if different)
Features and Benefits
Gain access to encrypted information stored in Mac OS keychain
Use extracted Apple ID password to download iCloud backups (with Elcomsoft Phone Breaker)
Decrypt system and all user keychains obtained from the Mac OS system
Considerable time savings compared to using Apple Keychain Access
Export full keychain data into an unencrypted XML file
Speed up password recovery by producing filtered plain-text files to be used as custom dictionary (with Elcomsoft Distributed Password Recovery and other tools)
Easier Over-the-Air Acquisition with Elcomsoft Phone Breaker
Information extracted with Elcomsoft Password Digger can be used with other ElcomSoft products to extract even more information from other sources.
Extracting the user’s Apple ID password is highly valuable for an investigation. Having the user’s Apple ID password, experts can use Elcomsoft Phone Breaker to download cloud backups created by user’s iOS devices such as iPhone and iPad from Apple iCloud. Over-the-air acquisition produces a clean, unencrypted backup that can be viewed in Elcomsoft Phone Viewer or analyzed in one of the many commercial forensic tools.
Breaking Passwords Faster with Elcomsoft Distributed Password Recovery
Attacking many types of passwords is impossible without a quality dictionary. Even with GPU acceleration, certain types of passwords (such as those protecting Microsoft Office 2010-2013 documents) are just too slow to brute force. A custom dictionary containing the user’s other passwords is invaluable in assisting these types of attacks. By reviewing a list of user’s passwords, experts may be able to derive a common pattern, creating a set of rules for the password recovery tool.
Brute-forcing Microsoft Office 2010 passwords can take ages even with GPU acceleration
Elcomsoft Password Digger can produce highly relevant password dictionaries in one click. By extracting all passwords stored in the user’s keychain and saving them into a plain, filtered text file that only contains the passwords, Elcomsoft Password Digger allows building a highly relevant custom dictionary for breaking strong passwords.
System Requirements
Elcomsoft Password Digger requires a Windows PC with Windows Vista, Windows 7, 8, 8.1, Windows 10 or Windows 2003, 2008 or 2012 Server, and supports keychains produced by all versions of Mac OS including the latest Mac OS X ‘El Capitan’.
© Copyright 2000-2023 COGITO SOFTWARE CO.,LTD. All rights reserved
