04/27/2007, 11:10am, EDT
Friday, April 27th
MacLockPick utility extracts passwords
SubRosaSoft.com today released MacLockPick, a new live forensics tool for extracting passwords, internet history, and system settings from Mac OS X systems. The utility is designed for law enforcement professionals to perform live forensics and is based on a USB Flash drive that users insert into a suspects Mac OS X system -- running or sleeping -- to extract data from the Apple Keychain as well as system settings, providing examiners with fast access to critical information with as little interaction or trace as possible. MacLockPick is priced at $500 for licensed investigators, or $450 for State and local law enforcement professionals. Licenses for Federal law enforcement officers as well as purchases of five or more copies are available for $400 each.
The software compiles a database of the suspects information on the Flash drive to allow for easy transportation away from the suspect system, which is accessible via included log readers on other Mac OS X, Linux, and Microsoft Windows systems.
The application works to obtain Apple Keychain passwords including those for the logged in user, general passwords such as encrypted disk images or Wi-Fi base stations, and internet-related passwords including login and password details for websites as well as email accounts.
File and folder details collected include folder dates with a list of all the key user folders along with their creation, last modification, first access, and most recent access dates. Paths to the most recent disk images that were mounted on the subject Mac are also collected, with full paths to recent files viewed in the Preview program and file names for recently viewed QuickTime movies.
MacLockPick extracts the subject's instant messaging default login for iChat as well as a complete buddy list, including buddies who were already deleted. Email information is also collected, including account details with login names and server addresses used alongside Address Book contents -- including contacts that were deleted.
The utility also collects Web history and preferences such as search strings or cached bookmarks, and hardware preferences including iPod serial numbers that were connected to the Mac or Bluetooth devices that were paired with the system.
Filed under: software
Other story tags: Other Applications
, 
, 25
, 
, 
, 
, 
, 
, 
Top
subscribe to comments
for this article
Privacy advocates...what do you think??
If your Mac requires your login password at startup, wake-from-sleep, or returning from screensaver your system should (from what they're saying) not be vulnerable to this product if in those states.
The single most interesting "feature" is that this product can apparently determine the login password of the logged-in user. If that password is available anywhere, this is a security problem Apple should fix. Once the login password is known, then everything else is wide open and this product isn't doing anything unique (other than saving the investigator many manual steps).
If you don't use Filevault, it's a trivial thing to image your hard drive then (from the image) gain access to most files. Accessing the keychain contents is not possible (or at least not easy) without the login password, but everything else is wide open. The purpose of Filevault is to protect all user items.
Moral of the story... If you have private data on your computer, the minimum security you should use is to deactivate auto-login, and require password at wake-up/screensaver. Filevault is an excellent bonus but has a slight performance and reliability impact.