CHFI (312-49) Digital Forensics Simulation
Investigation Scenario
You are a digital forensics investigator responding to a suspected data exfiltration incident at a Seattle-based design firm. An employee recently resigned and is suspected of stealing intellectual property and sensitive client financial information (including credit card data) before departing.
You have been provided with a forensic disk image (E01) of the suspect's company-issued MacBook Pro running macOS Ventura.
Evidence Collected
Initial timeline analysis of the filesystem reveals the following activities just prior to the external drive connection:
Question
During a data-exfiltration case at a Seattle design firm, investigators need the macOS encrypted container that securely stores user account names and passwords for Mac, apps, servers, and websites and can also hold confidential information such as credit card numbers or bank account PIN numbers. What type of the Mac forensics data source should they examine?
Expert Analysis
1. What the Evidence Shows
The system logs and metadata timeline indicate that the suspect accessed the ~/Library/Keychains/ directory just four minutes before mounting an unauthorized external USB drive. The modification time on login.keychain-db correlates with potential data export or manipulation of secured credentials.
2. Forensic Stage
Analysis Phase. The disk has already been imaged (Collection) and the timeline has been generated (Examination). The investigator must now identify which specific artifact contains the requested data to prove exfiltration of secure items.
3. Why the Correct Answer is Correct
C. Keychain is the built-in macOS password and certificate management system. It acts as an encrypted container (using Triple-DES or AES) holding Wi-Fi passwords, website credentials, application passwords, and Secure Notes (which frequently contain PINs or credit card numbers). It is the exact forensic artifact that matches the description in the scenario.
4. Why Others are Wrong
A. Property list (plist): These are preference and configuration files (often XML or binary). While they contain valuable forensic data like recent items or application settings, they are not encrypted containers designed to secure passwords.
B. Time Machine: This is Apple's backup utility. While a Time Machine backup contains the Keychain, Time Machine itself is a backup mechanism, not the encrypted container storing the passwords.
D. Apple Mail: This is an email client. Apple Mail does not have its own encrypted container for passwords; it relies on the macOS Keychain to store its account credentials securely.
5. Real-World Forensic Action
An investigator would extract the login.keychain-db and System.keychain files from the disk image. Using the suspect's recovered user password (or dictionary attacks), the investigator would use forensic tools like Chainbreaker or Keychaindump to decrypt the database and review the stored Secure Notes for exfiltrated client credit card data.
MINI LESSON: macOS Artifact Interpretation
- Evidence Handling: Never interact with a live macOS Keychain on the suspect's machine, as OS-level mechanisms may alter timestamps or lock the vault. Always extract from a forensic image.
- Artifact Locations:
- User Keychain:
~/Library/Keychains/login.keychain-db - System Keychain:
/Library/Keychains/System.keychain
- User Keychain:
- Forensic Workflow: Identify encrypted containers early in the analysis phase. Decrypting these containers often yields credentials required to decrypt other evidence (like encrypted disk images, hidden volumes, or cloud storage accounts).
Ready for more real-world forensics challenges?
Sharpen your analytical skills with full CHFI practice exams.
Explore more CHFI simulations