Keychain Access & Credential Storage

Location

Description

macOS Keychain databases storing encrypted credentials including user passwords, Wi-Fi passwords, application tokens, certificates, private keys, and secure notes. The login keychain is unlocked when the user logs in and the System keychain stores system-wide credentials accessible to daemons and services.

Forensic Value

The Keychain is the primary credential store on macOS, and its access patterns reveal credential harvesting activity. The security command-line tool (security find-generic-password, security dump-keychain) can enumerate stored credentials on a live system. Keychain access events in the Unified Log show which processes requested credential access and whether the user approved the request. Unauthorized keychain dumps indicate credential theft. The system keychain may contain Wi-Fi passwords, VPN credentials, and certificate private keys that provide lateral movement opportunities for attackers.

Tools Required

Collection Commands

security dump-keychain -d ~/Library/Keychains/login.keychain-db > /forensics/keychain_dump.txt 2>&1

security list-keychains > /forensics/keychain_list.txt

sudo cp ~/Library/Keychains/login.keychain-db /Library/Keychains/System.keychain /forensics/keychains/

log show --last 7d --predicate "subsystem == 'com.apple.securityd' AND category == 'keychain'" > /forensics/keychain_access_log.txt

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

MITRE ATT&CK Techniques

References