Description

This is an XML and binary property-list viewer EnScript plugin.

Use the CTRL+SHIFT+P keyboard-shortcut or right-click menu option to view the highlighted item or attribute as an XML or binary plist file.

Use the CTRL+SHIFT+D keyboard-shortcut or right-click menu option to view the highlighted XML or binary plist data beginning ‘bplist’ or '<?xml '. If the plist data occupies the remainder of the file, only the first byte need be selected otherwise the data must be selected in its entirety. This may prove tricky for binary plist files in which case the Binary Plist Finder EnScript may help.

It’s worthy of note that the script will impose a limit on the amount of highlighted data that can be parsed. This is to try and prevent the examiner parsing a large amount of data that might cause the script (and EnCase) to crash. One example of this might be when the examiner has selected the first byte of a plist buried deep in unallocated clusters. The default limit is 20MB, but this can be adjusted between 1MB and 100MB.

Either or all selected values in file and record-based plists can be bookmarked and written to a logical evidence file (LEF). These options aren’t currently available with attribute-based plists.

Note that attributes can only be parsed once the Browse Data button has been used to load them into the tree and table panes - they cannot be parsed while visible in the view pane.

The contents of hex-encoded binary attribute-streams can be examined by using the View Stream Data option. There is also an option to interpret and bookmark binary streams that represent macOS bookmarks.

With regards to the latter, the plugin will present the path of the bookmarked item, where appropriate. If the path relates to a mounted disk image or network share, the plugin will present the mounted item’s path if available. It’s important to note that bookmarks often contain a significant amount of extra data, so if a bookmarked item is worthy of note, further investigation is advised.

The plugin also provides the option to use the OutsideIn viewing-library to view data highlighted by the user in a binary property-list stream. This can be useful, for example, to view pictures embedded in RTFD document-streams representing secure notes in macOS keychain files.

The plugin will also recognize plists that are NSKeyedArchive files and resolve their internal links, which are implemented through the use of UID values.

The structure of NSKeyedArchive files that are plists can take some getting used-to particularly as both have their own type of dictionary. A dictionary is a list containing one or more child objects each having a name.

In a plist file, an NSKeyedArchive dictionary will consist of three plist folders: NSKeys, NSObjects and $class. The $class folder will contain an entry called $classname, which will have a value of NSDictionary or NSMutableDictionary.

The values in the NSKeys and NSObjects folders are linked such that the name of the object at position n in the NSObjects folder will be at position n in the NSKeys folder.

NSKeyedArchive files also support two types of array: NSArray and NSMutable array. Items in an array are identified by their index, which means that an NSKeyedArchive array will only consist of two folders: NSObjects and $class. The NSKeys folder is not needed.

Timestamps are displayed as UTC/GMT using the ISO 8601 format. This assumes that the underlying value is stored as UTC/GMT rather than local time.

This script was developed for use as part of EnCase training. For more details, please visit the following links:

Releases

Release
Size
Date
Plist Viewer Plugin 8.0
410.9 KB
  |  
Dec 10, 2024
More info Less info
Product compatibility
EnCase App Central
Version 1.0.0
Release notes

Tested under EnCase 24.02.00.103.

Languages
English

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the updated Marketplace Terms of Service
Since you are downloading an app from the OpenText Marketplace, you need to accept the updated Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service" box below and click accept to continue your download.


Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2024-12-3-sha256-6304 | Sun Dec 15 20:16:44 PST 2024