Description

This EnScript decodes binary and XML plist files that are extensively used by Apple computer software and hardware to store configuration data.

Binary plists support data in the form of ANSI & Unicode strings, integer numbers, UUIDs, Boolean (true/false) values, floating point numbers, binary data and dates/times.

XML plists support data in the form of Unicode strings (encoded as UTF-8), integer numbers, Boolean (true/false) values, floating point numbers, binary data and dates/times.

The user has the option of choosing how the script should iterate through the case; he/she can also choose to process files based on a combination of signature, extension ('plist', 'sfl' and 'sfl2') and name. The recommended options are marked with an asterisk (*).

When it comes to signature, the examiner can have the script check to see if the signature is offset from the start of the file. This typically happens because the plist file is preceded by some other structure.

Performing this check is a potentially time consuming process because each byte-offset must be examined one at a time. Accordingly, this option has an upper limit of 50-bytes. Furthermore, it won't work if there is data before and after the plist file

The examiner can choose to create a single data bookmark containing the data from all the source files; alternatively, he/she can choose to create a data bookmark per file.

With regards to binary plist values, embedded plists will be parsed automatically and in a recursive manner. The script will also parse path information from bookmark streams.

The structure of other binary values is in the hands of the developer, so the script provides two additional options.

Firstly, if binary data is less than or equal to 512 bytes, it will be bookmarked as string data. In order to accomplish this, the script will replace one or more contiguous non-printable characters with a single '\xB7' (centre dot) character. This should be sufficient to remove excessive amounts of unintelligible binary data while still allowing Unicode strings containing Roman/Latin characters (a-z, 0-9) to be recognised as such. The examiner should, however, be aware that two readable strings separated by a single '\xB7' character could be many bytes apart.

A second option is to have the script write the interpreted plist files into a logical evidence file. The data in the file is structured in a very similar way to the data bookmark already mentioned above. The only difference is that each plist name/value pair is represented as a file. For all but binary plist name/value pairs the data is stored in the file as a Unicode string. Binary plist data is written as is. This facilitates signature and hash analysis; it also enables the examiner to extract binary data streams for processing with 3rd party applications.

The script will recognize plists that are NSKeyedArchive files automatically and resolve their internal links. The latter are implemented using UUID values.

The structure of NSKeyedArchive files that are plists can take some getting used-to particularly as both have their own type of dictionary. A dictionary is a list containing one or more child objects each having a name.

In a plist file, an NSKeyedArchive dictionary will consist of three plist folders: NSKeys, NSObjects and $class. The $class folder will contain an entry called $classname, which will have a value of NSDictionary or NSMutableDictionary.

The values in the NSKeys and NSObjects folders are linked such that the name of the object at position n in the NSObjects folder will be at position n in the NSKeys folder.

NSKeyedArchive files also support two types of array: NSArray and NSMutable array. Items in an array are identified by their index, which means that an NSKeyedArchive array will only consist of two folders: NSObjects and $class. The NSKeys folder is not needed.

Timestamps are displayed as UTC/GMT. This assumes that the underlying value is also stored as UTC/GMT rather than local time.

This script was developed for use in EnCase training. For more details, please click the following link:

Releases

Release
Size
Date
Plist Parser 9.0
398.8 KB
  |  
Dec 10, 2024
More info Less info
Product compatibility
EnCase App Central
Version 1.0.0
Release notes

Adds the ability to check for plist-data offset from the start of the file.

Tested under EnCase 24.03.00.109.

Languages
English

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the updated Marketplace Terms of Service
Since you are downloading an app from the OpenText Marketplace, you need to accept the updated Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service" box below and click accept to continue your download.


Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2024-12-3-sha256-6304 | Sun Dec 15 20:16:44 PST 2024