See this Copy keychains to another Mac - Apple Support. It is about one mac which I want to delete everything and reinstall fresh OS.
This branch contains a quick patch for chainbreaker to dump non-exportable keys on High Sierra, see README-keydump.txt for more details. Original README goes below.
The chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner.Master Key candidates can be extracted from volafox or volatility keychaindump module.
Supported OS
Snow Leopard, Lion, Mountain Lion, Mavericks, Yosemite, El Capitan, (High) Sierra
Target Keychain file
- User Keychain(~/Users/[username]/Library/Keychains/login.keychain) : It has user id/password about installed application, ssh/vpn, mail, contacts, calendar and so on. It has key for call history decryption too.
- System Keychain(/Library/Keychains/System.keychain) : It has WiFi password registered by local machine and several certifications and public/private keys. (Detailed Info : http://forensic.n0fate.com/2014/09/system-keychain-analysis/)
How to use:
If you have only keychain file and password, command as follow:
If you have memory image, you can extract master key candidates using volafox project. The volafox, memory forensic toolit for Mac OS X has been written in Python as a cross platform open source project. Of course, you can dump it using volatility.
Example
If you have memory image only, you can dump a keychain file on it and decrypt keychain contents as link
Contacts
chainbreaker was written by n0fateE-Mail address can be found from source code.