The keychain is one of the hallmarks of the Apple ecosystem. Containing a plethora of sensitive information, the keychain is one of the best guarded parts of the walled garden. At the same time, the keychain is relatively underexplored by the forensic community. The common knowledge has it that the keychain contains the users’ logins and passwords, and possibly some payment card information. The common knowledge is missing the point: the keychain contains literally thousands of records belonging to various apps and the system that are required to access lots of other sensitive information. Let’s talk about the keychain, its content and its protection, and the methods used to extract, decrypt and analyze the various bits and pieces.

The cloud becomes an ever more important (sometimes exclusive) source of the evidence whether you perform desktop or cloud forensics. Even if you are not in forensics, cloud access may help you access deleted or otherwise inaccessible data.

In Apple’s world, the keychain is one of the core and most secure components of macOS, iOS and its derivatives such as watchOS and tvOS. The keychain is intended to keep the user’s most valuable secrets securely protected. This includes protection for authentication tokens, encryption keys, credit card data and a lot more. End users are mostly familiar with one particular feature of the keychain: the ability to store all kinds of passwords. This includes passwords to Web sites (Safari and third-party Web browsers), mail accounts, social networks, instant messengers, bank accounts and just about everything else. Some records (such as Wi-Fi passwords) are “system-wide”, while other records can be only accessed by their respective apps. iOS 12 further develops password auto-fill, allowing users to utilize passwords they stored in Safari in many third-party apps.