Binary Plist Finder
This script searches specified items for binary property-list (plist) files. It was designed primarily to recover such files from unallocated clusters. Property-list files are used by Apple developers to store a considerable number of configuration settings on Mac OS X and iOS devices. Many of these settings are of great value to the forensic examiner. Resetting the Safari web-browser, for instance, will result in the deletion of a number of plist files containing Internet history. It will also clear the SQLite database file used to tracked cached web-content. The records deleted from that file will contain embedded binary plist-files, which the script can recover from the space in the SQLite file that those records used to occupy.
The script's output is via bookmarks and a logical evidence file (LEF). The LEF can be brought-back into EnCase and its contents examined using the Plist Parser or Plist Viewer Plugin EnScripts. It may also be possible to process the LEF in order to recover Mac OS X related artifacts such as Safari Internet history and bookmarks. The script works by using a basic search-term to locate deleted plists in each of the records/entries it has been told to search. Before each entry/item is searched its path will be written to the console. The search will then be performed and the status-bar updated to reflect the progress that's been made. At the conclusion of each search the script will write the number of hits that have been found, reset the status bar and then attempt to verify each hit. The status bar can then be used to monitor the progress of the hit-validation process.
The examiner should expect to find many thousands of hits particularly when searching the unallocated clusters of a Mac OS X system volume. Once the script has finished processing the examiner can use a raw keyword search to identify plist files of particular note.
YOU MAY ALSO LIKE