Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Plist Viewer Plugin

This is an XML and binary property list viewer plugin EnScript.

Use the CTRL+SHIFT+P keyboard-shortcut, toolbar, or right-click menu option to view the highlighted item or attribute as an XML or binary plist file.

Either or all selected values in file and record-based plists can be bookmarked and written to a logical evidence file (LEF). These options aren't currently available with attribute-based plists.

Note that attributes can only be parsed once the 'Browse Data' button has been used to load them into the Tree and Table panes, they cannot be parsed while visible in the Viewer pane.

The contents of a hex-encoded binary attribute-stream can be examined by using the View Stream Data option. There is also an option to interpret and bookmark binary streams that represent Mac OS X bookmarks.

The plugin will recognize plists that are NSKeyedArchive files automatically and resolve their internal links, which are implemented through the use of UID values.

The structure of NSKeyedArchive files that are plists can take some getting used-to particularly as both have their own type of dictionary. A dictionary is a list containing one or more child objects each having a name.

In a plist file, an NSKeyedArchive dictionary will consist of three plist folders: NSKeys, NSObjects and $class. The $class folder will contain an entry called $classname, which will have a value of NSDictionary or NSMutableDictionary.

The values in the NSKeys and NSObjects folders are linked such that the name of the object at position n in the NSObjects folder will be at position n in the NSKeys folder.

NSKeyedArchive files also support two types of array: NSArray and NSMutable array. Items in an array are identified by their index, which means that an NSKeyedArchive array will only consist of two folders: NSObjects and $class. The NSKeys folder is not needed.

Timestamps are displayed as UTC/GMT using the ISO 8601 format. This assumes that the underlying value is stored as UTC/GMT rather than local time.

Download Now



Version: 6.3
Tested with:
EnCase Forensic 8.07
Developer: Simon Key
Category: Artifact

11735 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
9970 Downloads
App
Artifact

Cortana Search Decoder

Decodes the search terms stored in IndexedDB.edb files used by the Microsoft Windows Cortana search function.
By Simon Key
7635 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
381 Downloads
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
226 Downloads
App