I have a 2013 iMac with 2 user accounts on it. I know the password for one user account, the other I do not.
I obtain an image of the mac using CAINE.
I was able to decrypt 632GB of data from that image.
The user account that has the unknown password...can I obtain a password list from the various keychain databases? Or any useful information what so ever?
Since you have a non-encrypted image of the device, you can try to crack the user password by extracting the login-hash from the correct user-plist file...or (and this one is much faster) by extracting the keychain-hash from the login.keychain of that user.
Since there is a high probability that the user used the same password for login and keychain, I would try the keychain-hash. Do not forget the --keep-guessing in order to tackle the false positives.
You can obtain the content of the keychain of your first user with some dedicated (commercial) tools, like Chainbreaker.
So, the login.keychain from the user account that I do not have the password for..I do have that file, but it is encrypted. You are saying I can get the hash of that file and perform a dictionary attack ect. of that hash with hashcat?
My question now, how do I obtain a hash for that? It is not just like the MD5 of the file correct? Can I use chainbreaker to obtain that, then use hashcat on that hash?