Mac systems are primarily used as personal computers (laptops, desktops, workstations) rather than servers. Thus, the focus of many forensic investigations is tracking a suspect or victim’s activity based on artifacts created by web browsers, address books, e-mail and chat clients, word processors, social media applications, and calendars. These types of applications handle a large amount of relevant information that is stored only in memory. For example, this chapter shows how you can recover unencrypted PGP e-mail and Off-the-Record (OTR) instant messages, cached keychain private keys, and so on. In addition, we describe the steps we took while researching evidence stored in unfamiliar/undocumented formats. This will provide valuable insight into how you can extend these techniques to new applications during your own investigations.

Keychain Recovery

Keychain, which is Apple’s built-in password manager, can be used to save credentials for websites, wireless networks, SSH servers, private keys, and more. The credentials are stored on disk within an encrypted (3DES) container that requires a master password from the user to unlock. During an investigation, you might need access to the stored credentials—to analyze the user’s e-mail, social media, or cloud storage account, for example.

You have a few options for acquiring the credentials:

• Ask the user for the master password
• Brute force the master password
• Attempt to extract the master password ...