Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Plist Viewer Plugin

This is an XML and binary property list viewer plugin EnScript.

Use the CTRL+SHIFT+P keyboard-shortcut, toolbar, or right-click menu option to view the highlighted item or attribute as an XML or binary plist file.

Either or all selected values in file and record-based plists can be bookmarked and written to a logical evidence file (LEF). These options aren't currently available with attribute-based plists.

Note that attributes can only be parsed once the 'Browse Data' button has been used to load them into the Tree and Table panes, they cannot be parsed while visible in the Viewer pane.

The contents of a hex-encoded binary attribute-stream can be examined by using the View Stream Data option. There is also an option to interpret and bookmark binary streams that represent Mac OS X bookmarks.

The plugin will recognize plists that are NSKeyedArchive files automatically and resolve their internal links, which are implemented through the use of UID values.

The structure of NSKeyedArchive files that are plists can take some getting used-to particularly as both have their own type of dictionary. A dictionary is a list containing one or more child objects each having a name.

In a plist file, an NSKeyedArchive dictionary will consist of three plist folders: NSKeys, NSObjects and $class. The $class folder will contain an entry called $classname, which will have a value of NSDictionary or NSMutableDictionary.

The values in the NSKeys and NSObjects folders are linked such that the name of the object at position n in the NSObjects folder will be at position n in the NSKeys folder.

NSKeyedArchive files also support two types of array: NSArray and NSMutable array. Items in an array are identified by their index, which means that an NSKeyedArchive array will only consist of two folders: NSObjects and $class. The NSKeys folder is not needed.

Timestamps are displayed as UTC/GMT using the ISO 8601 format. This assumes that the underlying value is stored as UTC/GMT rather than local time.

Download Now



Version: 6.3
Tested with:
EnCase Forensic 8.07
Developer: Simon Key
Category: Artifact

9429 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
9092 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
745 Downloads
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
555 Downloads
App
Artifact

Windows Search Application Data Parser

This script parses data maintained by the Windows search function relating to recently-used applications and documents
By Simon Key
454 Downloads
App