Pro plugin
Keychain Metadata
Collects macOS Keychain item metadata (labels, accounts, services, timestamps, protection classes) without extracting secrets
system.keychainPromacOS 10.15+v1.0.0systemsecuritycredentialsRun this plugin
Trigger collection for Keychain Metadata on its own with the --plugin flag, or include it in a wider sweep by category.
# Just this plugin
macfor-pro collect --plugin system.keychain --output ./evidence.zip
# Dry run — list what would be collected
macfor-pro collect --plugin system.keychain --dry-runCompatibility
- macOS 10.15+
Licensing: ships in the macfor-pro binary. See Community vs Pro.
Artifacts collected (6)
Each row corresponds to an entry in the plugin's artifacts.yaml manifest. Optional artifacts are skipped unless explicitly enabled.
credentials
| Artifact | Format | Path | Notes |
|---|---|---|---|
Generic Passwords keychain_generic_passwords | sqlite | ~/Library/Keychains/*/keychain-2.db+2 more
| Metadata only. The data (secret) column is never extracted. |
Internet Passwords keychain_internet_passwords | sqlite | ~/Library/Keychains/*/keychain-2.db+2 more
| Metadata only. The data (secret) column is never extracted. |
Certificates keychain_certificates | sqlite | ~/Library/Keychains/*/keychain-2.db+2 more
| Certificate metadata including subject, issuer, and serial number hashes. |
Keys keychain_keys | sqlite | ~/Library/Keychains/*/keychain-2.db+2 more
| Key metadata only. Key material (data column) is never extracted. |
Raw Keychain Store keychain_raw_storeOptionalOpt-in | sqlite | ~/Library/Keychains/*/keychain-2.db+2 more
| Full database files including WAL/SHM. Contains encrypted secrets that cannot be decrypted without keychain password. |
config
| Artifact | Format | Path | Notes |
|---|---|---|---|
iCloud Keychain Status keychain_icloud_status | binary_plist | ~/Library/Keychains/accountStatus.plist | iCloud Keychain sync enrollment state. |