macOS Bookmark Data Decoder
This script decodes macOS bookmark datastreams of the type found in macOS alias files and property-list files.
Supported streams will have the signature 'book' or 'alis' followed by the length of the stream as a 4-byte Little-Endian integer. Alternatively it will parse streams having the following GREP signature -
- book\x00\x00\x00\x00mark\x00\x00\x00\x00
This script's functionality has since been incorporated into the Plist Viewer Plugin and Plist Parser EnScripts although it may still prove useful when examining alias files, which are the Mac equivalent of Windows shortcut link files.
Output is by way of bookmarks. Dates are displayed as UTC/GMT using the ISO 8601 format.
It should be noted that the script may encounter values whose tag is unknown. Please notify the author if this happens so that additional research may be undertaken.
For additional information, please see the following Twitter post:
This script was developed for use in EnCase training. For more details, please click the following link:
Download Now