Obtaining keychain files

In order to decrypt the keychain with EPD, the first thing you’ll need is the keychain itself. In macOS, keychain is stored in several physical files. Yet another file holds the decryption key for the system keychain. You’ll need all of these in order to gain full access to encrypted information.

If you’re acquiring keychain files from a live macOS system, do the following.

•Make a new folder somewhere (e.g. “KEYCHAINS” on the desktop)

•Open Terminal and issue the following command
 
cd Desktop/KEYCHAINS
 

•Copy the following files into the current folder ( “KEYCHAINS”):
 
cp /Users/<username>/Library/Keychains/login.keychain .
cp /Library/Keychains/System.keychain .
sudo cp /private/var/db/SystemKey .
 

Notes:

•you need superuser access in order to extract SystemKey, a file that contains encryption metadata for decrypting system keychain. You’ll be prompted for a password.

•on macOS 10.12 and later, keychain file name (in the first command) is login.keychain-db

•there is a final dot at the end of each “copy” command. This is not a formatting error; the dot means that the file is to be copied into the current folder (“KEYCHAINS” in our case).

•<user name> is the name of the user who’s keychain you are about to extract (currently logged in user is displayed before the “$” sign).
 

•Transfer the content of the “KEYCHAINS” folder to the Windows PC where you have EPD installed; you may be prompted to enter your Mac administrator's password again (because of special permissions set on SystemKey file).

If you have a disk image instead of the live system, extracting files is easier since you won’t need superuser access or admin password. Just mount the disk image and use your favorite file manager to copy the required files to your Windows computer.

Mounting the disk image is normally not a problem. If you’re dealing with a DMG image, macOS has built-in tools to mount it. If the disk image is in EnCase .E01 format, you’ll need to use third-party tools to mount the image, such as AccessData FTK Imager or GetData Forensic Imager.