Insights Blog

Mac Forensics: Viewing, Understanding, Deconstructing, and Creating .plist Files – Part 2 of 3

In part one of this blog series we covered the many ways a Mac forensic examiner may view .plist files using both Apple and third-party tools. Part two seeks to improve .plist file knowledge and discusses how to deconstruct a .plist file in order to include the most important objects in an examiner report.
Converting a Binary .plist File to .xml
As we mentioned in part one of this blog, to date, a .plist file is either a plain text .xml file or a binary file.  Binary .plist files occupy less disk space, and the OS X operating system can access and utilize them more quickly than their .xml counterparts. Therefore, binary .plist files are the most common .plist file type found in recent OS X operating system builds.
A digital forensic examiner may convert binary .plist files using the OS X Terminal application by issuing the following command:

plutil -convert xml1 /path/to/plistfile.plist -o /path/to/output.plist

This command calls the plutil utility, and tells it to  to convert the .plist file named plistfile.plist located along the first path to xml version 1 (xml1), and output the results to a file called output.plist located along the second path. Once converted, the .xml .plist file is similar to an .html file, as it has a defined header,  .plist objects have begin and end tags, and objects are indented, or nested in a way that shows grouped-object relationships.
Understanding .plist File Object Tags
Here is a .plist header example. The header describes the .plist file type, version, and encoding:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN”
<plist version=”1.0″>

Here are a few common .plist file object begin and end tags. Like .html end tags, .plist file end tags include a forward slash:

<string> </string> – String tags contain alphanumeric character strings.

<real> </real> – Real tags contain a floating-point value.

<integer> </integer> – Integer tags contains an integer value.

<date> </date> – Date tags may contain an absolute date measured in seconds relative to Jan 1 2001 00:00:00 GMT.  A positive value represents a date and time after Jan 1, 2001 date, and a negative value represents a date and time after Jan 1, 2001. A date and time value may be pulled from the local system clock.

<true /> or <false /> – True or false tags represent a YES value or a NO value respectively.  These tags do not have end tags as they simply indicate YES or NO; they do not contain element data. A true or false tag is usually associated with <key></key> tags.

<data> </data> – Data tags store raw data such as a .jpg picture file, human-readable text, or another binary-encoded .plist file.

<array> </array> – .plist elements in an array container are structured as an ordered collection that can be randomly accessed. One array container may have one or many elements stored within. Any element value type may be stored in an array.

<dict> </dict> – A dictionary container usually includes several keys, each paired with a single .plist element. Element values in a dictionary may be a string, number, boolean value, date, data, array, or another dictionary.

Deconstructing a .plist File
Now lets look at our OS X .plist file and deconstruct it. In this example, we are looking at a .plist file containing important OS X system information stored here:



The first part of this file is the file header. An examiner may use .plist file header text to carve for deleted .plist files in unallocated space. Previous .plist files may be used to reconstruct historic events such as user setting modifications and system updates and usage.
The  <dict> or dictionary container in this .plist file has five keys each with a paired key value that describes the local Mac computer.
The screenshot below is another SystemVersion.plist file recovered from a Mac running OS X 10.6.5 build 10H574, viewed using the BlackLight ‘Preview’ feature. BlackLight has a built-in .plist view that provides an easy way to analyze .plist files. The ‘ProductBuildVersion’ and the ‘ProductVersion’ keys are both tagged for inclusion in the examiner report. Examiners may tag entire .plist files, or single .plist objects as desired.

Important .plist File Objects
Let’s look at a more complex user .plist file stored here:



This .plist file, displayed using Xcode version 4,  is named franknstein.plist and belongs to the franknstein user account on the OS X machine we are analyzing. With the exception of the root dictionary key, each .plist object is an array. To the left of each array object, select the disclosure triangle to expand it to view the object type and object value.
This file contains several objects that are important to a Mac forensic examiner. For instance, salted SHA512 user password hashes are stored in this file on machines running OS X 10.7 or higher. In this example, the “ShadowHashData” array contains the salted SHA512 password hash for the franknstein account.
Decoding a salted SHA512 hash is beyond the scope of this blog entry, but let’s look at the hint, realname, and home objects, as they sometimes provide examiners with a user’s real identity and/or enough information to guess the user password.

The ‘hint’ object value contains the user account password hint. This is usually the hint the users provide when they create their user account and chose an account password, or if/when they change their password.  This value may be blank, may contain useful data, or may contain a sarcastic remark (the odds of the latter increase exponentially if the user is a member of the BlackBag training team!).
The ‘realname’ object value stores the user account full name. Each Mac OS X user account has a full name and a ‘shortname’ (sometimes called the account name). The full name is often the account owner’s real name or closely related to their real name, though this is not always the case. OS X by default automatically generates the shortname  as a lowercase, ‘one-word’ version of the full name. But, a user may customize the account shortname if they wish. The OS X operating system uses the shortname to name each user home directory.
In this example, the account realname value is Frank N. Stein and the account shortname is franknstein as seen in both the ‘home’ array object and the franknstein.plist filename.
The ‘home’ object value shows the user account filesystem location. OS X user account owners have privileges that allow them to store files and create new folders only within their own user account.
Mac OS X forensic analysts may apply  these analysis principles to any .plist file on an OS X system. However, .plist files are not used solely for system and user setting storage. A .plist file may be used to launch daemons, scripts, and applications too.
We will explore this in part three of this blog so stay tuned!
To learn more about BlackLight, please visit the BlackLight product page and BlackBag TV.

BlackBag Training Team
Latest posts by BlackBag Training Team (see all)