Mac OS X Forensics
Never give up, the answer is right in front of you...
-
Our Sponsors
-
Custom Search
PLIST Files
The Macintosh operating system, version 10, is rich with files called “property list files” or “p” list files if you pronounce them aloud. A Windows user/adminstrator/examiner will frequently ask where the registry is on a Mac. The answer is, the Macintosh does not have a registry. There is no central location that can be equated to the Microsoft designed registry. With Mac OS X, the property list file has been used for application settings, user preferences, security settings, and many, many other uses.
A property list file is an XML file. It might be in plain text and simply read by your favorite text editor. It is also possible that the property list file is a binary property list file and you will not be able to read it directly unless you use an application such as Apple’s free Property List Editor.
There is always the Terminal command called plutil and is used like this:
plutil -convert xml1 /path/to/file.plist
where the path is the file you wish to view. The output of this command is text to your screen with the contents of the file.
Property List Editor is available free thru Apple’s Develop website as a part of their Developer Tools. You need this on your forensic examination Macintosh!
Below is an example of the property list file /Library/Preferences/com.apple.loginwindow.plist. We will explore it in 3 forms.
com.apple.loginwindow.plist in binary form
First, we have the com.apple.loginwindow.plist in its native form, binary (seen above). Apple has this property list file encoded in binary format and this is what you will see when attempting to look at it with any text viewer, such as the ‘more’ command in Terminal as seen here. If you are using Encase, FTK, X-Ways, or similar Windows based forensic products, expect the same output when you click on these files.
(We have finally found a PLIST editor for Windows here.)
com.apple.loginwindow.plist in XML form
Second, we have the same file decoded to its XML form. This is easily read by any text viewer. A property list file that has been binary encoded can be easily decoded to its XML form by using the Terminal command “plutil”. But, as we can see from our third example, there is little need to go thru that Terminal typing challenge.
com.apple.loginwindow.plist in Property List Editor
The above example shows how the same file is neatly decoded and interpreted by the Apple application Property List Editor. Not only is this easier on the eyes, it makes for much nicer reporting. Property List Editor is terrible for printing to PDF files unfortunately, but it allows you to make window captures (as seen here) or you can export the data to an application that can read the XML file if you need to do something further with it. Typically, a window capture will suffice.
Now that we understand how to read the data, we need to know where to find it. The web page Initial Data Gathering mentioned several property list files that contain excellent data that will likely make its way into many of your cases, but that is just the start.
There are 4 “Library” folders in which the operating system can access during operation. They are:
Each of these Library folders contain folders such as “Preferences” which are a gold mine for property list files. Don’t stop here though. Folders that don’t typically display in the Finder such as:
These folders have a huge directory structure that contain a wealth of files, some of which are property list files.
So, now that we have made the entire hard drive and network fair game for property list files, let’s end this end on a good note and focus on the data that we need. Mac OS X is a very organized operating system. When you are looking for data that represents settings for a particular user, you should immediately focus on the directories:
User “space” is contained to the user’s Home folder. All settings, such as property list files will be found in the Home folder Library.
When there are global settings that affect the system, you should be looking at the folder:
Every analysis will be unique and the property list files that you need to include to support your conclusions will vary. If you are having trouble finding particular data, contact us or post your question in the forums.
The Macintosh operating system, version 10, is rich with files called “property list files” or “p” list files if you pronounce them aloud. A Windows user/adminstrator/examiner will frequently ask where the registry is on a Mac. The answer is, the Macintosh does not have a registry. There is no central location that can be equated to the Microsoft designed registry. With Mac OS X, the property list file has been used for application settings, user preferences, security settings, and many, many other uses.
Sponsored Advertisement
A property list file is an XML file. It might be in plain text and simply read by your favorite text editor. It is also possible that the property list file is a binary property list file and you will not be able to read it directly unless you use an application such as Apple’s free Property List Editor.
There is always the Terminal command called plutil and is used like this:
plutil -convert xml1 /path/to/file.plist
where the path is the file you wish to view. The output of this command is text to your screen with the contents of the file.
Property List Editor is available free thru Apple’s Develop website as a part of their Developer Tools. You need this on your forensic examination Macintosh!
Below is an example of the property list file /Library/Preferences/com.apple.loginwindow.plist. We will explore it in 3 forms.
com.apple.loginwindow.plist in binary form
First, we have the com.apple.loginwindow.plist in its native form, binary (seen above). Apple has this property list file encoded in binary format and this is what you will see when attempting to look at it with any text viewer, such as the ‘more’ command in Terminal as seen here. If you are using Encase, FTK, X-Ways, or similar Windows based forensic products, expect the same output when you click on these files.
(We have finally found a PLIST editor for Windows here.)
com.apple.loginwindow.plist in XML form
Second, we have the same file decoded to its XML form. This is easily read by any text viewer. A property list file that has been binary encoded can be easily decoded to its XML form by using the Terminal command “plutil”. But, as we can see from our third example, there is little need to go thru that Terminal typing challenge.
com.apple.loginwindow.plist in Property List Editor
The above example shows how the same file is neatly decoded and interpreted by the Apple application Property List Editor. Not only is this easier on the eyes, it makes for much nicer reporting. Property List Editor is terrible for printing to PDF files unfortunately, but it allows you to make window captures (as seen here) or you can export the data to an application that can read the XML file if you need to do something further with it. Typically, a window capture will suffice.
Now that we understand how to read the data, we need to know where to find it. The web page Initial Data Gathering mentioned several property list files that contain excellent data that will likely make its way into many of your cases, but that is just the start.
There are 4 “Library” folders in which the operating system can access during operation. They are:
- /Users/username/Library
- /Library
- /Network/Library
- /System/Library
Each of these Library folders contain folders such as “Preferences” which are a gold mine for property list files. Don’t stop here though. Folders that don’t typically display in the Finder such as:
- /private/etc
- /private/var
These folders have a huge directory structure that contain a wealth of files, some of which are property list files.
So, now that we have made the entire hard drive and network fair game for property list files, let’s end this end on a good note and focus on the data that we need. Mac OS X is a very organized operating system. When you are looking for data that represents settings for a particular user, you should immediately focus on the directories:
- /Users/username/Library
- /Network/Library (if there is a network server involved in your case)
User “space” is contained to the user’s Home folder. All settings, such as property list files will be found in the Home folder Library.
When there are global settings that affect the system, you should be looking at the folder:
- /Library
- /System/Library
Every analysis will be unique and the property list files that you need to include to support your conclusions will vary. If you are having trouble finding particular data, contact us or post your question in the forums.