Elcomsoft Password Digger

Decrypting the macOS keychain

Elcomsoft Password Digger is a Windows tool for decrypting the contents of system and user keys obtained from a macOS computer. The tool exports the full set of keys to an XML file or builds a filtered dictionary for use by password recovery tools. The system and all user keychains can be decrypted.

Elcomsoft Password Digger provides access to highly sensitive information such as Wi-Fi passwords, Apple ID and iTunes passwords, website and email passwords, and other sensitive information.

Using Elcomsoft Password Digger together with other ElcomSoft tools opens up completely new possibilities for downloading iCloud backups created from the user’s iPhone or iPad (viaElcomsoft Phone Breaker). You can also delete other passwords more quickly by creating a custom dictionary (viaElcomsoft Distributed Password Recovery).

Extract macOS passwords. Create a custom dictionary

Elcomsoft Password Digger provides a one-click tool to automatically extract all relevant passwords to save them as a filtered, plain-text dictionary.

Without a quality dictionary, attacking many types of passwords is impossible. Even with GPU acceleration, certain types of passwords (such as those protecting Microsoft Office 2010-2013 documents) are simply too slow for brute-force methods. A custom dictionary containing the user's other passwords is invaluable for these types of attacks. By reviewing the user's password list, experts can derive a common pattern to create a set of rules for the password recovery tool.

Elcomsoft Password Digger can create highly relevant password dictionaries with one click. Elcomsoft Password Digger enables the creation of highly relevant custom dictionaries to crack strong passwords. This is achieved by extracting all passwords stored in the user's keychain and storing them in a simple, filtered text file containing only the passwords. The resulting file can be used for dictionary attacks withElcomsoft Distributed Password Recovery,Elcomsoft Password Recovery Bundle, as well as with individual password recovery tools.

Information available in the macOS X keychain

Keychain was introduced in macOS 8.6 as a means of securely storing sensitive information. Mac OS X uses Keychain to manage system and user passwords. System passwords, such as passwords to Wi-Fi networks, are stored in the system keychain, while pretty much everything else ends up in the user keychain.

Below is a partial list of information that can be extracted from the macOS key bundle.

System keychain

• Wi-Fi passwords

User keychain

• Apple ID password
• Password to iTunes backups
• AirPort and TimeCapsule passwords
• Passwords to websites and accounts
• VPN, RDP, FTP and SSH passwords
• Passwords to email accounts including Gmail and Microsoft Exchange
• Passwords for network sharing
• iWork Documents Passwords

The information stored in the keychain is securely encrypted. The system keychain uses a key stored in a file, while user keychains are typically encrypted with keys derived from users' macOS account passwords.

Apple provides an in-house tool for viewing items stored in the keychain called Keychain Access. However, using Keychain Access for forensic purposes is slow and inconvenient because the Apple tool requires the user to re-enter the password when viewing each individual record. Elcomsoft Password Digger saves time by storing the information stored in the keychain in an XML file, which can then be loaded into a forensic tool.

Extracting the macOS keychain

Elcomsoft Password Digger can extract, decrypt and export the contents of the system and all user keychains. The tool dumps information from the keychain into a simple, decrypted XML file containing all records with all fields such as URL, creation and access time, login, password and other relevant fields. The resulting XML file can be imported by any XML-enabled tool in a wide range of forensic products, including generic tools such as Microsoft Excel.

Extracting keychain data

To use Elcomsoft Password Digger, experts need a Windows PC, keychain files extracted from macOS, and the user's authentication information (macOS login and password, and keychain password if different). To decrypt system keys, the tool requires a key that must be extracted from the macOS computer (administrator rights are required to extract the file from a live system).

System keychain

• Keychain file extracted from a user's macOS system
• Decryption key of the same system[1]

User keychain

• Keychain file extracted from the user's macOS system
• User login password or keychain password (if different)

Features and Benefits

• Get access to encrypted information stored in macOS keychains
• Use the extracted Apple ID password to download iCloud backups (withElcomsoft Phone Breaker)
• Decrypt system and user keychains from the macOS system
• Significant time savings compared to Apple Keychain Access
• Export full keychain data to an unencrypted XML file
• Speed ​​up password recovery by creating filtered plaintext files to be used as a custom dictionary (withElcomsoft Distributed Password Recoveryand other tools)

1. The system key key must be extracted; administrator rights are required if you are extracting from a live system

Easier over-the-air updates with Elcomsoft Phone Breaker

Information extracted with Elcomsoft Password Digger can be used with other ElcomSoft products to extract even more information from other sources.

Extracting the Apple ID user password is very valuable for an investigation. With the user's Apple ID password, experts can use Elcomsoft Phone Breaker to download cloud backups created by iOS devices such as iPhone and iPad in Apple iCloud. Over-the-air updates produce clean, unencrypted backups that can be viewed in Elcomsoft Phone Viewer, or analyzed in one of the many commercial forensic tools.