Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Binary Plist Finder

This script searches specified items for binary property-list (plist) files. It was designed primarily to recover such files from unallocated clusters. Property-list files are used by Apple developers to store a considerable number of configuration settings on Mac OS X and iOS devices. Many of these settings are of great value to the forensic examiner. Resetting the Safari web-browser, for instance, will result in the deletion of a number of plist files containing Internet history. It will also clear the SQLite database file used to tracked cached web-content. The records deleted from that file will contain embedded binary plist-files, which the script can recover from the space in the SQLite file that those records used to occupy.

The script's output is via bookmarks and a logical evidence file (LEF). The LEF can be brought-back into EnCase and its contents examined using the Plist Parser or Plist Viewer Plugin EnScripts. It may also be possible to process the LEF in order to recover Mac OS X related artifacts such as Safari Internet history and bookmarks. The script works by using a basic search-term to locate deleted plists in each of the records/entries it has been told to search. Before each entry/item is searched its path will be written to the console. The search will then be performed and the status-bar updated to reflect the progress that's been made. At the conclusion of each search the script will write the number of hits that have been found, reset the status bar and then attempt to verify each hit. The status bar can then be used to monitor the progress of the hit-validation process.

The examiner should expect to find many thousands of hits particularly when searching the unallocated clusters of a Mac OS X system volume. Once the script has finished processing the examiner can use a raw keyword search to identify plist files of particular note.

Download Now



Version: 4.1.1
Tested with:
EnCase Forensic 7.12
Developer: Simon Key
Category: Artifact

702 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

VSS Examiner

Quickly and easily identify and preserve data of interest in Microsoft Windows volume shadow copies.
By Simon Key
3876 Downloads
App
Artifact

SEEB USB - Mounted Devices Report

Script will create detailed Excel, CSV, console & bookmark reports on Mounted, USB, portable devices found in the registry and setupapi logs.
By Brian Jones
3646 Downloads
App
Artifact

Exif Viewer Plugin

The is a self-installing application plugin that enables the user to right-click on an Exif JPEG file in order to view and bookmark the Exif metadata that it contains.
By Simon Key
2948 Downloads
App
Artifact

Exif GPS Information Reader

Search for bookmark and decode Exif metadata with the option to view GPS Exif coordinates in Google Earth automatically.
By Simon Key
2589 Downloads
App