Plist Viewer Plugin
This is an XML and binary property list viewer plugin EnScript.
Use the CTRL+SHIFT+P keyboard-shortcut or right-click menu option to view the highlighted item or attribute as an XML or binary plist file.
Use the CTRL+SHIFT+D keyboard-shortcut or right-click menu option to view the highlighted XML or binary plist data beginning ‘bplist’ or '<?xml '. The plist data must be highlighted from beginning to end to use this option.
Either or all selected values in file and record-based plists can be bookmarked and written to a logical evidence file (LEF). These options aren’t currently available with attribute-based plists.
Note that attributes can only be parsed once the ‘Browse Data’ button has been used to load them into the Tree and Table panes, they cannot be parsed while visible in the Viewer pane.
The contents of a hex-encoded binary attribute-stream can be examined by using the View Stream Data option. There is also an option to interpret and bookmark binary streams that represent Mac OS X bookmarks.
With regards to the latter, the plugin will present the path of the bookmarked item, where appropriate. If the path relates to a mounted disk image or network share, the plugin will present the mounted item’s path, if available. It’s important to note that bookmarks often contain a significant amount of extra data, so if a bookmarked item is worthy of note, further investigation is advised.
The plugin will recognize plists that are NSKeyedArchive files automatically and resolve their internal links, which are implemented through the use of UID values.
The structure of NSKeyedArchive files that are plists can take some getting used-to particularly as both have their own type of dictionary. A dictionary is a list containing one or more child objects each having a name.
In a plist file, an NSKeyedArchive dictionary will consist of three plist folders: NSKeys, NSObjects and $class. The $class folder will contain an entry called $classname, which will have a value of NSDictionary or NSMutableDictionary.
The values in the NSKeys and NSObjects folders are linked such that the name of the object at position n in the NSObjects folder will be at position n in the NSKeys folder.
NSKeyedArchive files also support two types of array: NSArray and NSMutable array. Items in an array are identified by their index, which means that an NSKeyedArchive array will only consist of two folders: NSObjects and $class. The NSKeys folder is not needed.
Timestamps are displayed as UTC/GMT using the ISO 8601 format. This assumes that the underlying value is stored as UTC/GMT rather than local time.
This script was developed for use in EnCase training. For more details, please click the following link:Download Now