Thursday, September 20, 2012

iParser: Automated Plist Parser Release


Let me preface this  with saying, I.A.N.A.P.P. – I Am Not A Professional Programmer. I enjoy programming, and I hope others find this tool useful.  If you find a bug, please let me know.  If you have some suggestions or feature requests, please let me know. What may be intuitive to me may be totally off for others. I also wanted to thank Cheeky4n6Monkey for designing an icon for me as I have zero graphic skills, and Scott Zuberbuehler for doing some testing and making some suggestions for improvements.


What does it do?
The concept behind iParser is to provide an automatic way to gather various plist files from a MAC image into one place, rather than look for them every time an exam is conducted.  You simply mount the image, point to the root directory, choose a user and let it run.  It will gather system information, application preferences, network information and user information.  It converts binary plist files into XML using the iTunes plutil, then parses the XML and generates a text report.  Although you can use notepad to view the report, I find that Notepad++ works better. If you are unfamiliar with plist files, please read here

Using RegRipper by Harlan Carvey as my inspiration, I decided to use plug-ins to define the plist files so that users can add in plist files as they see fit. I used the OS X 10.7 artifact list by Sean Cavanaugh from http://www.appleexaminer.com/ as a starting point for the plist files that will be parsed.

What does it not do?
It does not convert the data within the plist file.  For example, in the Safari History plist file, it will not convert the timestamp. It does not decode base64 data. It basically strips out the XML tags and builds a report.

Looking ahead
Yes, this is a Windows based program (sorry). My hopes are to dig my heels in, learn some Pearl, and make it cross-platform compatible.  I have a new found respect for the work and ingenuity of RegRipper and realize how spoiled I have been by such a great tool...

Requirements

  • Windows
  • Mounted Mac Image or access to Mac partition from Boot Camp
  •  iTunes 
  •  .Net Framework (quick install if you don't already have it)

Plugins
The Plug-in files are in XML format. You can easily add a plist file that is not already included. I have detailed instructions on the format here, or just open and view some of the existing plug-ins to view the format. If you would like me to add any plug-ins to future releases, please email me:  arizona4n6 at gmail.com - or email me if you can't figure out the plug-ins and would like me to add a plist.


Download and Documentation
Download iParser here
View the Documentation here




8 comments:

  1. Hi Maria,

    I'm trying to point your tool at the root directory of my Mac image(E01), but I'm having trouble mounting it within Windows. Would you mind telling me which tool you use for this?

    ReplyDelete
  2. I use FTK Imager which is free, and has the ability to mount E01 images:

    http://www.accessdata.com/support/product-downloads

    ReplyDelete
  3. Thanks Mari, I'll give that a shot. Is iParser able to find the plist files for Dropbox, Skype, Firefox and Chrome? I'm doing some research involving the four of those applications, and if iParser isn't currently able to find any of those I'd be willing to write a plugin for it.

    ReplyDelete
  4. iParser is not able to find those plist files. That would be great if you wrote some plugins. If you do, I will add them into the next roll out :-)

    ReplyDelete
  5. I was looking through some of the plugins to get a feel for how they are written and saw that there are plugins for Skype and Chrome, but not Firefox or Dropbox. Are the plugins for Skype and Chrome just not functional or outdated?

    ReplyDelete
    Replies
    1. Sorry, thought I had replied to this and just saw that I hadn't. I did not develop plug-ins for Skype and Chrome as the test systems I had did not have these installed.

      Delete
  6. Dont apologize for a Windows based app! All my stuff is .net based. Everyone has Windows regardless of their posturing and for the VAST majority of FEs, GUIs > command line. =) also, id go with python over perl hehe

    ReplyDelete