Wickr is another example of an application that uses encryption and stores the encryption key in the keychain on iOS devices. Passwords or entries in the keychain are stored as <dict> objects, and each will correspond to an application that is storing data in the keychain. Manual review of the keychain file can uncover vData property associated with a particular application, but this can also be done with forensic tools like Magnet AXIOM.¹

If you are utilizing AXIOM to process the keychain, they recommend processing the keychain separately so that relevant keys can be extracted later. Their steps for completing this process are listed below.

Using AXIOM Process:

1. Provide Case details. 

2. On the Evidence sources screen, click Mobile > iOS > Load evidence > Files & folders.

3. Click File browser and select the keychain.plist file, then Click Open.

4. Finally, click Analyze evidence.

Once the keychain has been processed, this output is used to decrypt the Wickr application. Search for the Wickr application under Services, and then grab the Value assigned to the activeAccount. The encryption key should be 32 bytes in length (64 characters) and may require that you remove any padding that precedes the actual encryption key.

The keychain.plist can be manually searched as well as outlined in the blog post from Magnet Forensics.¹ The whitepaper published in the Forensic Science International: Digital Investigation highlights how the application utilizes encryption.²

References:

https://for585.com/wickrdecrypt

https://www.sciencedirect.com/science/article/abs/pii/S2666281721000366 - Scientific journal

https://www.sciencedirect.com/journal/forensic-science-international-digital-investigation