Mac Forensics: Viewing, Understanding, Deconstructing, and Creating .plist Files - Part 1 of 3
This entry was posted on 07/23/2012.
Our Mac Forensics instructors spend a lot of time discussing preference list files, or .plist files, as these files are often valuable repositories for historical system- and user- specific configurations and actions. As we teach in our Mac and iOS forensics training courses and discuss in our ‘Mac Forensics Essentials: The Mac OS X Library Directories blog,’ .plist files are most commonly found in the Mac OS X Library folders. However, these files may be located anywhere in the OS X file system.
This three-part blog takes an in-depth look at .plist files. Part one of this blog series addresses ways a Mac forensic examiner can view .plist files using both Apple and third-party tools. Part two seeks to improve .plist file knowledge, and discusses deconstructing a .plist file in order to select the most important file component(s) and include them in an examiner report. Part three teaches how to (re)create a .plist file and use it as something other than a data repository (such as a launch process) in the same way a user with ill intentions might.
Viewing .plist Files Using Apple Tools
To date, a .plist file is either a plain text .xml file or a binary file. Binary .plist files occupy less disk space, and the OS X operating system can access and utilize them more quickly than their .xml counterparts. Therefore, binary .plist files are the most common .plist file type found in recent OS X operating system builds.
Three readily available Apple .plist viewing tools are:
• Mac OS X operating system Quick Look framework
• Developer Tools Property List Editor application
• Developer Tools XCode 4 application
To view a .plist file using the Quick Look framework, select the file and press the Spacebar.
The .plist file displays in a scrollable window. The Quick Look framework provides a readily available and simple way to view .plist files. However, some find viewing a .plist file in a Quick Look somewhat cumbersome, as one must be comfortable viewing and understanding raw .xml code. Additionally, there is no way to copy and paste text from a Quick Look window into a text file for use in an examiner report.
The examples in this blog show data contained in the SystemVersion.plist file. This .xml file contains Mac OS X system version and build information, and is located here in the OS X file system:
Below is a screenshot of the SystemVersion.plist file viewed from within the Mac OS X Quick Look framework:
Both the Apple Developer Tools Property List Editor and Xcode 4 applications provide Mac forensic examiners with a more robust way to view .plist files. To use these tools, an examiner must download and install the Apple Developer Tools (XCode).
To download the Apple Developer Tools, create a free Apple Developer account at developer.apple.com. Next, download and install XCode from the developer website directly (XCode 2.5, XCode 3.x, and XCode 4.x), or via the OS X App Store application (XCode 4.x).
Note: As of the writing of this blog, an examiner must have OS 10.7.3 (Lion) or higher installed on their analysis workstation to download the XCode 4 using the App Store application.
If your analysis machine is running OS 10.4 (Tiger), download and install XCode 2.5. If your analysis workstation is running running OS 10.5 or 10.6, download and install XCode 3.x from developer.apple.com. If your analysis workstation is running OS 10.7.3 (Lion) or higher, download and install XCode 4.x from either the developer.apple.com web site, or via the OS X App Store application.
Note: It may be a little tricky to find and download XCode 2 or XCode 3. We believe the easiest way is to do so is to log into the Apple Developer website, and select Resources>OS X>Downloads, or visit the web page below(last accessed 7-2-2012) and log into the Apple Developer site, if necessary, when prompted:
The ‘Downloads for Apple Developers’ web page appears. On the left side of the page, in the search field above ‘Categories,’ type ‘XCode 3.0’ and select the Return (Enter) key to display available XCode 2.5 and XCode 3.x software downloads. Descriptions included with each build indicate OS X version compatibility notes.
The XCode 3.x (and earlier) Property List Editor application is located here:
Developer/Applications/Utilities/Property List Editor
XCode 4.0 and higher no longer includes the Property List Editor application, as a .plist editor is built into the XCode 4 application itself.
The Property List Editor application and the XCode 4 application are both small, light-weight applications that display .plist files as a database table rather than as raw code. A .plist file displayed as a table is much easier to read than one displayed as raw code. Both applications allow a user to edit the .plist file, and/or copy and paste .plist file data from the application into a separate text document for reporting purposes.
Below is a screenshot of the SystemVersion.plist file viewed from within the XCode 4 application:
Viewing .plist Files with Third Party Tools
An examiner may also use a text editor application to view .plist files. The TextWrangler application, developed by Bare Bones Software, is a popular and useful text editor. TextWrangler may be downloaded via the App Store application (on a machine running OS 10.6.x [Snow Leopard] or higher), or directly from the Bare Bones Software website here:
TextWrangler displays .plist file data as raw data in a similar manner as the Quick Look framework. However, TextWrangler displays .xml code and key entries (data items) with different color coding, and an examiner may also choose to show code line numbers. These two features make it a bit easier to view raw .xml .plist file data. Additionally, an examiner may copy and paste .plist file contents from a TextWrangler instance into another document.
Below is a screenshot of the SystemVersion.plist file displayed within the TextWrangler application:
Lastly, our own BlackLight forensics software displays .plist data in an easily readable database-table format much like the Property List Editor and XCode applications do. Additionally, BlackLight allows an examiner to tag both the .plist file itself, and individual .plist file keys. An examiner can include tagged .plist items in the examiner report directly from within the BlackLight application. This feature eliminates the need to copy and paste .plist data from a text application instance into a separate examiner report document.
To learn more about the BlackLight tagging and reporting features, please read our Tagging and Reporting blog series.
This concludes part one of our three-part .plist file blog series. Stay tuned… part two of this blog series discusses identifying and understanding important .plist files and important .plist file keys!
For more information about our BlackLight Mac OS X and iOS forensics software, visit the BlackLight product page or view a product demo on BlackBag TV. Please feel free to contact support with any other questions or comments.