This script parses records from macOS and IOS Biome SEGB files, which are believed to monitor user activity with a view to making context-sensitive suggestions that improve user experience. This functionality is described in the following article:
As things stand currently, there are two versions of these files, one having a ‘SEGB’ signature at offset-52 and one having a ‘SEGB’ signature at offset-0. The script refers to these versions as V1 and V2 respectively.
Both types of file include timestamps pertaining to the file-header and the records themselves.
In addition, the records also have a numeric state field indicating whether they’re used (1) or unused/deleted (3). Tests indicate that the latter only ever contain null-bytes.
Most current records use protocol buffers (aka protobufs) to store data (aka messages) albeit some binary property-list streams have been observed as well.
Protobuf messages are encoded/decoded using protocol-format files, which will usually have a *.proto
file-extension. The protocol-format file lists the type of each field, its name, and a numeric ID. Protobuf messages may be nested.
The encoding process uses the 6-wire-types specified in the following article:
In order to parse protobufs without the associated protocol-format files, the script uses the ProtoUntyped .NET library:
Whilst this works reasonably well, only the numeric ID can be produced by the script and some values must be interpreted on a best-guess basis. This is because one cannot fully interpret a protobuf message without the corresponding *.proto
file. This point is made in the When are Protocol Buffers not a Good Fit? section of the following article:
Accordingly, the output of the script may differ to other tools, CyberChef for example:
The script writes its output to bookmarks, a logical evidence file (LEF), and the console.
It is worthy of note that -
This script was developed for use in EnCase training. For more details, please click the following link:
First release.
Developed/tested using EnCase 25.0.2.00.63.
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox