Obtaining keychain files
|Top Previous Next|
In order to decrypt the keychain with EPD, the first thing you’ll need is the keychain itself. In Mac OS, keychain is stored in several physical files. Yet another file holds the decryption key for the system keychain. You’ll need all of these in order to gain full access to encrypted information.
If you’re acquiring keychain files from a live Mac OS X system, do the following.
•Make a new folder on the desktop (e.g. “KEYCHAINS”)
•Open Terminal and issue the following command
•Copy the following files into the current folder ( “KEYCHAINS”):
•Transfer the content of the “KEYCHAINS” folder to the Windows PC where you have EPD installed; you may be prompted to enter your Mac administrator's password again (because of special permissions set on SystemKey file).
If you have a disk image instead of the live system, extracting files is easier since you won’t need superuser access or admin password. Just mount the disk image and use your favorite file manager to copy the required files to your Windows computer.
Mounting the disk image is normally not a problem. If you’re dealing with a DMG image, Mac OS has built-in tools to mount it. If the disk image is in EnCase .E01 format, you’ll need to use third-party tools to mount the image, such as AccessData FTK Imager or GetData Forensic Imager.
Get more information about Elcomsoft Password Digger
Get full version of Elcomsoft Password Digger
© 2015 ElcomSoft Co.Ltd.