Keychain Stored Credentials (keychain-2.db)
Location
KeychainDomain/keychain-2.dbDescription
Encrypted SQLite database storing the iOS Keychain containing saved passwords, authentication tokens, Wi-Fi network passwords, VPN credentials, certificate private keys, and application-specific secrets. Items are protected by different accessibility classes that determine when they can be decrypted, ranging from always available to only when the device is unlocked. The keychain is encrypted with keys derived from the device hardware UID and user passcode.
Forensic Value
The keychain contains plaintext passwords and authentication tokens for accounts configured on the device, directly revealing credentials for email accounts, Wi-Fi networks, VPN connections, and third-party applications. Saved website passwords from Safari AutoFill expose the user online account credentials. Wi-Fi passwords stored in the keychain can be matched against known network access points for location correlation. VPN credentials may provide access to corporate networks or anonymization services. Keychain extraction requires either a device passcode, an unencrypted iTunes backup, or advanced exploitation techniques, making the accessibility class of each item forensically significant.