Keychain

Overview

Evidence: Keychain Description: Filter keychain unlock events Category: System Platform: macos Short Name: kch Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The macOS Keychain stores sensitive information including passwords, certificates, and encryption keys. The loginwindow process interacts with the Security framework to unlock keychains during user login and authentication. These events track keychain access and unlock attempts.

Data Collected

This collector gathers structured data about keychain.

Collection Method

This collector uses the macOS 'log' command with predicate-based filtering to extract loginwindow Security framework events over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType='Keychain'.

Forensic Value

Keychain events are important for investigating credential theft, unauthorized access to stored secrets, password dumping attempts, and suspicious authentication patterns. They reveal when keychains were unlocked, accessed, or modified, helping detect credential harvesting and unauthorized secret access.