Keychain Access & Credential Storage

macosAuthentication & AccessDisk Image

Location

~/Library/Keychains/ (login.keychain-db) and /Library/Keychains/ (System.keychain)

Description

macOS Keychain databases storing encrypted credentials including user passwords, Wi-Fi passwords, application tokens, certificates, private keys, and secure notes. The login keychain is unlocked when the user logs in and the System keychain stores system-wide credentials accessible to daemons and services.

Forensic Value

The Keychain is the primary credential store on macOS, and its access patterns reveal credential harvesting activity. The security command-line tool (security find-generic-password, security dump-keychain) can enumerate stored credentials on a live system. Keychain access events in the Unified Log show which processes requested credential access and whether the user approved the request. Unauthorized keychain dumps indicate credential theft. The system keychain may contain Wi-Fi passwords, VPN credentials, and certificate private keys that provide lateral movement opportunities for attackers.

Tools Required

security (macOS CLI)mac_aptKeychain Access.appchainbreakerCrowdstrike UAC

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical