16-08-2021

Decrypt Keychain.plist

Part 1 of this series may be found here.
Part 2 of this series may be found here.
Part 3 of this series may be found here.
Part 4 of this series may be found here.

Apr 12, 2021 Find the encryption key manually. Open the keychain.plist file in a text editor. In the keychain.plist file, search for the Base64 string for the application (for example, Wickr Me). The string decodes to the corresponding Account fragment and is an indicator that the object where it resides is the location of the encryption key. Or we can launch the keychain explorer and have a look at the. Read and decrypt keychain. Examining Mac OS X User & System Keychains. The password is protected by a simple XOR encryption and is easy to decrypt using a. I checked the Manifest.plist file and the 'password' denoted in the file, matches my backup password. EPB is able to decrypt keychain data from password-protected backups (iOS 4 and later) if the backup password is known (or has been recovered using EPB for Windows). For iTunes backups that do not have the password set, as well as for iCloud backups, keychain can be decrypted only if the 'security key' is known. What is plist Editor Pro? In the Mac OS X and iPhone OS, property list files are files that store serialized objects. Property list files use the filename extension.plist. Decrypt Keychain.plist. 25/10/17 8 Comments. In iTunes backup, the iPhone Keychain sqlite database is stored as a Plist file. The Keychain file gets.

Safari

I must admit, I was pretty surprised by how hidden Apple made their security information. After years of hearing how horrible Safari is in terms of general security – their password security is actually pretty decent. unfortunately, it too is able to be hacked if you know what you’re doing.

Safari stores your usernames and passwords in a file called “keychain.plist” in the following folders:

Sorry Mac users, I don’t know where this is stored on a Mac… If someone wants to give me a Mac, I’ll be more than happy to research it for them… 🙂

The contents of this file are pseudo-encrypted because it’s stored in a “Binary Property List” file format which is an Apple format for storing binary data. If you just open the file it will look like garbage. However, Apple provides a tool called plutil.exe that can read this format and it’s actually provided with Safari in the following folders:

Run this program in DOS using the following commands:

This will convert the .plist file into an XML file. In the XML file, everything will be decoded except for your password which will be inside an tag called

The encrypted password is encoded using the BASE64 algorithm. Bizarrely enough, the original password data stored in the keychain.plist file is not encoded with BASE64. It is only encrypted to BASE64 when converting the .plist file into XML using the plutil program. In the .plist file, the password is encrypted using standard Windows Data Protection (DPAPI), which provides the known functions of CryptProtectData and CryptUnprotectData for encrypting / decrypting of data using your Windows authentication password. When using CryptProtectData, Safari uses a standard, static salt for all passwords which is also stored in the keychain.plist file.

So to actually decode the XML file, you must first decrypt the BASE64 encrypted data, then decrypt the Windows DPAPI encrypted data. Easy right?

BASE64 encryption can easily be broken with free code available online. From there, you need to figure out the salt to use with the Windows DPAPI CryptUnprotectData function.

For the curious, the salt generation algorithm and decryption functions are available in the Apple supplied CFNetwork.dll file which can be found in the following folders:

The salt data in the .plist file is 144 bytes long and ends with “com.apple.Safari”. Once you find the Salt in the .plist file, you can easily decrypt the passwords using the CryptUnprotectData function (available on the Microsoft MSDN website).

As you can see, Safari is much more complicated than other browsers but in the end, it’s just as easy for someone who knows what they are doing to hack.

Summary

I think that all the browsers fall short in one area or another. Firefox comes the closest but only if you enable a Master Password. IE9 has good security for Autocomplete data, but only if you do not store website history. Chrome fails in terms of protecting your usernames and passwords from any key loggers. Opera fails completely because it uses a known, static salt. Safari surprisingly enough provides decent security from someone who doesn’t know what they are doing but a true hacker should be able to decrypt your passwords with some patience.

My recommendation? Use Firefox, keep it updated and enable a strong Master Password. Again, I refer you to check out XKCD’s Password Strength cartoon for tips.

Keychain is the password manager Apple builds into its devices—iPhones, iPads, and Macs—to store users’ passwords, credit card details, Wi-Fi login details, and a host of other sensitive data.

At the same time, the utility is supposed to make it easy for users to create, recall, and access complex passwords.

Keychain-backup.plistDecrypt keychain.plist email

Keychain is easily the most popular password manager used on iPhones, so keychain extraction is an incredibly important and useful capability for any digital forensic investigator or computer security researcher to have.

How does keychain work?

When a user inputs a password for a specific site or application, keychain (if enabled) offers to store the password and login details.

The utility also offers to generate strong passwords. Keychain does its best to prevent users from using the same passwords for their websites and applications.

Keychain stores the passwords and other sensitive details in iCloud and then syncs it across all the devices where the user is signed into and on which keychain is enabled.

This way, the user gets to access all their login data, credit card information, and other sensitive details from their iPhone, iPad, or Mac.

For example, a user can register an account for a site on his iPhone and later sign in to the same site on their Mac using the same login details. Keychain powers the fluid sign-in process across Apple devices.

How does keychain secure its data?

Keychain encrypts the stored passwords and credit card numbers with 256-bit AES, which is one of the most advanced encryption standards available.

The facility also employs end-to-end encryption tech and works to provide a device with a unique key and passcode. Only the user is supposed to know the passcode used to access keychain.

Users typically employ FaceID and TouchID (in place of their passcodes) to use keychain and view the passwords stored in it.

Decrypt Iphone Keychain-backup.plist

How can you use Belkasoft Evidence Center to extract keychain data from an iPhone?

Belkasoft Evidence Center is a digital forensics tool that investigators use to acquire, search, analyze, store, and share digital evidence from computers, smartphones, RAM, and cloud services.

The iPhone acquisition function based on checkm8 built into Belkasoft Evidence Center (or, in short, BEC) allows for full file system extraction. With this Belkasoft tool, digital forensic researchers and investigators are now extracting and analyzing different forms of data from iPhones.

To extract keychain data from an iPhone using Belkasoft, you have to perform these tasks:
  • Run the Belkasoft Evidence Center application on a PC.
  • Go to the Add data source screen. Select Apple Checkm8.
  • Connect the iPhone to the PC.
  • Boot the iPhone into DFU mode. You can learn more about DFU mode here.
  • Follow the on-screen instructions to use BEC to extract and analyze data from the iPhone.
  • Go to the Passwords node (where the Keychain data is presented).

BEC also automatically decrypts applications data based on keychain. This way, for example, you can decrypt messages in the Signal app on an iPhone.

What devices are supported?

Keychain extraction is backed by the iPhone data acquisition function powered by checkm8, so you can use Belkasoft to extract keychain data from Apple devices equipped with the A7 chip through A11 SoC.

Here, we are referring to the generations of iPhones starting from iPhone 5s down till iPhone X.

Iphone

Decrypt Keychain.plist Password

Iphone

Keychain data is actually just one of the many items that get extracted from a user’s iPhone. BEC provides forensically sound access to a wide range of encrypted information stored in iPhones.

To summarize things, we can say Belkasoft can reliably extract keychain data from an iPhone in either of these cases:

Decrypt keychain.plist tool
  • The iPhone is one of the models that support checkm8 (as listed above) and you used the checkm8 function on it. In this case, the iPhone must be unlocked and you must know its passcode.
  • The iPhone has been 'jailbroken' already. In this case too, the iPhone must be unlocked and you must know its passcode.

See also

Decrypt Keychain-backup.plist

  • Belkasoft articles on checkm8 and other digital forensic issues