Let me preface this with saying, I.A.N.A.P.P. – I Am
Not A Professional Programmer. I enjoy programming, and I hope others find this
tool useful. If you find a bug, please
let me know. If you have some
suggestions or feature requests, please let me know. What may be intuitive to
me may be totally off for others. I also wanted to thank Cheeky4n6Monkey for designing an icon for me as I have zero graphic skills, and Scott Zuberbuehler for doing some testing and making some suggestions for improvements.
What does it do?
The concept behind iParser is to provide an automatic way to
gather various plist files from a MAC image into one place, rather than look for them every time an exam is conducted. You simply mount
the image, point to the root directory, choose a user and let it run. It will gather system information,
application preferences, network information and user information. It converts binary plist files into XML using
the iTunes plutil, then parses the XML and generates a text report. Although you can use notepad to view the report, I find that Notepad++ works better. If you are unfamiliar with plist files, please read here
Using RegRipper by Harlan Carvey as my inspiration, I decided to use plug-ins to define the plist files so that users can add in plist files as they see fit. I used the OS X 10.7 artifact
list by Sean Cavanaugh from http://www.appleexaminer.com/
as a starting point for the plist files that will be parsed.
What does it not do?
It does not convert the data within the plist file. For example, in the Safari History plist
file, it will not convert the timestamp. It does not decode base64 data. It
basically strips out the XML tags and builds a report.
Looking ahead
Yes, this is a Windows based program (sorry). My hopes are to
dig my heels in, learn some Pearl, and make it cross-platform compatible. I have a new found respect for the work and ingenuity of RegRipper and realize how spoiled I have been by such a great tool...
Requirements
- Windows
- Mounted Mac Image or access to Mac partition from Boot Camp
- iTunes
- .Net Framework (quick install if you don't already have it)
Plugins
The Plug-in files are in XML format. You can easily add a plist file that is not already included. I have detailed instructions on the format here, or just open and view some of the existing plug-ins to view the format. If you would like me to add any plug-ins to future releases, please email me: arizona4n6 at gmail.com - or email me if you can't figure out the plug-ins and would like me to add a plist. Download and Documentation
Download iParser here
View the Documentation here
Very nice work Mari!
ReplyDeleteHi Maria,
ReplyDeleteI'm trying to point your tool at the root directory of my Mac image(E01), but I'm having trouble mounting it within Windows. Would you mind telling me which tool you use for this?
I use FTK Imager which is free, and has the ability to mount E01 images:
ReplyDeletehttp://www.accessdata.com/support/product-downloads
Thanks Mari, I'll give that a shot. Is iParser able to find the plist files for Dropbox, Skype, Firefox and Chrome? I'm doing some research involving the four of those applications, and if iParser isn't currently able to find any of those I'd be willing to write a plugin for it.
ReplyDeleteiParser is not able to find those plist files. That would be great if you wrote some plugins. If you do, I will add them into the next roll out :-)
ReplyDeleteI was looking through some of the plugins to get a feel for how they are written and saw that there are plugins for Skype and Chrome, but not Firefox or Dropbox. Are the plugins for Skype and Chrome just not functional or outdated?
ReplyDeleteSorry, thought I had replied to this and just saw that I hadn't. I did not develop plug-ins for Skype and Chrome as the test systems I had did not have these installed.
DeleteDont apologize for a Windows based app! All my stuff is .net based. Everyone has Windows regardless of their posturing and for the VAST majority of FEs, GUIs > command line. =) also, id go with python over perl hehe
ReplyDelete