Keychain
Overview
Section titled “Overview”Evidence: Keychain
Description: Filter keychain unlock events
Category: System
Platform: macos
Short Name: kch
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The macOS Keychain stores sensitive information including passwords, certificates, and encryption keys. The loginwindow process interacts with the Security framework to unlock keychains during user login and authentication. These events track keychain access and unlock attempts.
Data Collected
Section titled “Data Collected”This collector gathers structured data about keychain.
Collection Method
Section titled “Collection Method”This collector uses the macOS ‘log’ command with predicate-based filtering to extract loginwindow Security framework events over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType=‘Keychain’.
Forensic Value
Section titled “Forensic Value”Keychain events are important for investigating credential theft, unauthorized access to stored secrets, password dumping attempts, and suspicious authentication patterns. They reveal when keychains were unlocked, accessed, or modified, helping detect credential harvesting and unauthorized secret access.