Keychain Stored Credentials (keychain-2.db)

Location

Description

Encrypted SQLite database storing the iOS Keychain containing saved passwords, authentication tokens, Wi-Fi network passwords, VPN credentials, certificate private keys, and application-specific secrets. Items are protected by different accessibility classes that determine when they can be decrypted, ranging from always available to only when the device is unlocked. The keychain is encrypted with keys derived from the device hardware UID and user passcode.

Forensic Value

The keychain contains plaintext passwords and authentication tokens for accounts configured on the device, directly revealing credentials for email accounts, Wi-Fi networks, VPN connections, and third-party applications. Saved website passwords from Safari AutoFill expose the user online account credentials. Wi-Fi passwords stored in the keychain can be matched against known network access points for location correlation. VPN credentials may provide access to corporate networks or anonymization services. Keychain extraction requires either a device passcode, an unencrypted iTunes backup, or advanced exploitation techniques, making the accessibility class of each item forensically significant.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

epb extract-keychain -i /forensics/ios_backup/ -o /forensics/keychain_dump/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References