DFIR Review

Extracting and Decrypting iOS Keychain: Physical, Logical and Cloud Options Explored

0
Updated

Research

White papers
  • Apple
  • Cryptography/Encryption
  • DFIR Review
  • iOS
Tools
  • Elcomsoft Password Digger
  • Elcomsoft Phone Breaker
  • Elcomsoft Phone Viewer

The keychain is one of the hallmarks of the Apple ecosystem. Containing a plethora of sensitive information, the keychain is one of the best guarded parts of the walled garden. At the same time, the keychain is relatively underexplored by the forensic community. The common knowledge has it that the keychain contains the users’ logins and passwords, and possibly some payment card information. The common knowledge is missing the point: the keychain contains literally thousands of records belonging to various apps and the system that are required to access lots of other sensitive information. Let’s talk about the keychain, its content and its protection, and the methods used to extract, decrypt and analyze the various bits and pieces.

Attachments

  • File Description
    File Size
    File Type
    Downloads
  • Extracting and Decrypting iOS Keychain Physical, Logical and Cloud Options Explored
    2 MB
    26