This EnScript decodes binary and XML plist files that are extensively used by Apple computer software and hardware to store configuration data.
Binary plists support data in the form of ANSI & Unicode strings, integer numbers, UUIDs, Boolean (true/false) values, floating point numbers, binary data and dates/times.
XML plists support data in the form of Unicode strings (encoded as UTF-8), integer numbers, Boolean (true/false) values, floating point numbers, binary data and dates/times.
The user has the option of choosing how the script should iterate through the case; he/she can also choose to process files based on a combination of signature, extension ('plist', 'sfl' and 'sfl2') and name. The recommended options are marked with an asterisk (*).
When it comes to signature, the examiner can have the script check to see if the signature is offset from the start of the file. This typically happens because the plist file is preceded by some other structure.
Performing this check is a potentially time consuming process because each byte-offset must be examined one at a time. Accordingly, this option has an upper limit of 50-bytes. Furthermore, it won't work if there is data before and after the plist file
The examiner can choose to create a single data bookmark containing the data from all the source files; alternatively, he/she can choose to create a data bookmark per file.
With regards to binary plist values, embedded plists will be parsed automatically and in a recursive manner. The script will also parse path information from bookmark streams.
The structure of other binary values is in the hands of the developer, so the script provides two additional options.
Firstly, if binary data is less than or equal to 512 bytes, it will be bookmarked as string data. In order to accomplish this, the script will replace one or more contiguous non-printable characters with a single '\xB7' (centre dot) character. This should be sufficient to remove excessive amounts of unintelligible binary data while still allowing Unicode strings containing Roman/Latin characters (a-z, 0-9) to be recognised as such. The examiner should, however, be aware that two readable strings separated by a single '\xB7' character could be many bytes apart.
A second option is to have the script write the interpreted plist files into a logical evidence file. The data in the file is structured in a very similar way to the data bookmark already mentioned above. The only difference is that each plist name/value pair is represented as a file. For all but binary plist name/value pairs the data is stored in the file as a Unicode string. Binary plist data is written as is. This facilitates signature and hash analysis; it also enables the examiner to extract binary data streams for processing with 3rd party applications.
The script will recognize plists that are NSKeyedArchive files automatically and resolve their internal links. The latter are implemented using UUID values.
The structure of NSKeyedArchive files that are plists can take some getting used-to particularly as both have their own type of dictionary. A dictionary is a list containing one or more child objects each having a name.
In a plist file, an NSKeyedArchive dictionary will consist of three plist folders: NSKeys, NSObjects and $class. The $class folder will contain an entry called $classname, which will have a value of NSDictionary or NSMutableDictionary.
The values in the NSKeys and NSObjects folders are linked such that the name of the object at position n in the NSObjects folder will be at position n in the NSKeys folder.
NSKeyedArchive files also support two types of array: NSArray and NSMutable array. Items in an array are identified by their index, which means that an NSKeyedArchive array will only consist of two folders: NSObjects and $class. The NSKeys folder is not needed.
Timestamps are displayed as UTC/GMT. This assumes that the underlying value is also stored as UTC/GMT rather than local time.
This script was developed for use in EnCase training. For more details, please click the following link:
Adds the ability to check for plist-data offset from the start of the file.
Tested under EnCase 24.03.00.109.
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox