This is an XML and binary property-list viewer EnScript plugin.
Use the CTRL+SHIFT+P keyboard-shortcut or right-click menu option to view the highlighted item or attribute as an XML or binary plist file.
Use the CTRL+SHIFT+D keyboard-shortcut or right-click menu option to view the highlighted XML or binary plist data beginning ‘bplist’ or '<?xml '. If the plist data occupies the remainder of the file, only the first byte need be selected otherwise the data must be selected in its entirety. This may prove tricky for binary plist files in which case the Binary Plist Finder EnScript may help.
It’s worthy of note that the script will impose a limit on the amount of highlighted data that can be parsed. This is to try and prevent the examiner parsing a large amount of data that might cause the script (and EnCase) to crash. One example of this might be when the examiner has selected the first byte of a plist buried deep in unallocated clusters. The default limit is 20MB, but this can be adjusted between 1MB and 100MB.
Either or all selected values in file and record-based plists can be bookmarked and written to a logical evidence file (LEF). These options aren’t currently available with attribute-based plists.
Note that attributes can only be parsed once the Browse Data button has been used to load them into the tree and table panes - they cannot be parsed while visible in the view pane.
The contents of hex-encoded binary attribute-streams can be examined by using the View Stream Data option. There is also an option to interpret and bookmark binary streams that represent macOS bookmarks.
With regards to the latter, the plugin will present the path of the bookmarked item, where appropriate. If the path relates to a mounted disk image or network share, the plugin will present the mounted item’s path if available. It’s important to note that bookmarks often contain a significant amount of extra data, so if a bookmarked item is worthy of note, further investigation is advised.
The plugin also provides the option to use the OutsideIn viewing-library to view data highlighted by the user in a binary property-list stream. This can be useful, for example, to view pictures embedded in RTFD document-streams representing secure notes in macOS keychain files.
The plugin will also recognize plists that are NSKeyedArchive files and resolve their internal links, which are implemented through the use of UID values.
The structure of NSKeyedArchive files that are plists can take some getting used-to particularly as both have their own type of dictionary. A dictionary is a list containing one or more child objects each having a name.
In a plist file, an NSKeyedArchive dictionary will consist of three plist folders: NSKeys, NSObjects and $class. The $class folder will contain an entry called $classname, which will have a value of NSDictionary or NSMutableDictionary.
The values in the NSKeys and NSObjects folders are linked such that the name of the object at position n in the NSObjects folder will be at position n in the NSKeys folder.
NSKeyedArchive files also support two types of array: NSArray and NSMutable array. Items in an array are identified by their index, which means that an NSKeyedArchive array will only consist of two folders: NSObjects and $class. The NSKeys folder is not needed.
Timestamps are displayed as UTC/GMT using the ISO 8601 format. This assumes that the underlying value is stored as UTC/GMT rather than local time.
This script was developed for use as part of EnCase training. For more details, please visit the following links:
Tested under EnCase 24.02.00.103.
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox