Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer
Enfuse 2018 | May 21- 24
Learn More

Binary Plist Finder

This script searches specified items for binary property-list (plist) files. It was designed primarily to recover such files from unallocated clusters. Property-list files are used by Apple developers to store a considerable number of configuration settings on Mac OS X and iOS devices. Many of these settings are of great value to the forensic examiner. Resetting the Safari web-browser, for instance, will result in the deletion of a number of plist files containing Internet history. It will also clear the SQLite database file used to tracked cached web-content. The records deleted from that file will contain embedded binary plist-files, which the script can recover from the space in the SQLite file that those records used to occupy.

The script's output is via bookmarks and a logical evidence file (LEF). The LEF can be brought-back into EnCase and its contents examined using the Plist Parser or Plist Viewer Plugin EnScripts. It may also be possible to process the LEF in order to recover Mac OS X related artifacts such as Safari Internet history and bookmarks. The script works by using a basic search-term to locate deleted plists in each of the records/entries it has been told to search. Before each entry/item is searched its path will be written to the console. The search will then be performed and the status-bar updated to reflect the progress that's been made. At the conclusion of each search the script will write the number of hits that have been found, reset the status bar and then attempt to verify each hit. The status bar can then be used to monitor the progress of the hit-validation process.

The examiner should expect to find many thousands of hits particularly when searching the unallocated clusters of a Mac OS X system volume. Once the script has finished processing the examiner can use a raw keyword search to identify plist files of particular note.

Download Now



Version: 4.1.1
Tested with:
EnCase Forensic 7.12
Developer: Simon Key
Category: Artifact

537 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
578 Downloads
App
Artifact

Windows Installed Application Parser

Parses installed-application information and displays it in a manner similar to Microsoft Windows.
By Simon Key
561 Downloads
App
Artifact

Cortana Search Decoder

Decodes the search terms stored in IndexedDB.edb files used by the Microsoft Windows Cortana search function.
By Simon Key
506 Downloads
App
Artifact

Search For Valid Bitcoin Addresses

This EnScript searches entries and records for valid BitCoin addresses.
By Simon Key
354 Downloads
App