The third blog in the series following on from Using the Generic SQLite Database Parser EnScript in forensic examination of a mobile device, will focus on Apple Property List (plist). Plists are used to store user and system related information and are usually found in either a binary or XML format, some will have relevance in DFIR examinations of Apple devices.
Whilst OpenText™ EnCase™ and OpenText™ EnCase™ Mobile Investigator has automated functionality to parse and present content from some iPhone and iPad plists, there may be a need to parse others and extend the reach of supported artifacts.
In common with the previous blog where EnScript programs were introduced for viewing and parsing SQLite databases, EnScript is again the savior. The ability to parse Apple plist is the function of either:
- Generic Plist Parser EnScript
- Plist Viewer EnScript Plugin
The Generic Plist Parser can automate the parsing of plist simultaneously, whereas the Plist Viewer Plugin is great for an individual or ad-hoc parse. Both of these EnScript programs have a place in the EnCase toolbox, they are invaluable neither of which I could be without.
The Plist Viewer Plugin is great when researching a new property list, perhaps from an iOS update or a new app of interest. Whilst there is much more functionality within the Plist Viewer Plugin, it does provide great functionality to have a quick look at the contents of a plist and decide on the relevance. Being able to initiate from the contextual menu makes it quick and simple to use.
Take for example a binary property list from iOS called IconState.plist, which can be examined to determine app layout for an iPhone or iPad home screen(s). Initiating the Plist Viewer plugin from the contextual menu, relevant content can be bookmarked for use within a report or written to a logical evidence file (LEF). In addition options are present within the Plist Viewer Plugin output to bookmark or write to LEF the complete parsed structure of the plist
The Plist Viewer Plugin was invaluable during research and examination of the SQLite databases BrowserState.db and SafariTabs.db. Dependent on the version of iOS or iPadOS, they can be used by mobile Safari to maintain a ‘state’ of open tabs in the browser.
So how does a Plist Viewer aid in the examination of a SQLite database?
Both the BrowserState.db and SafariTabs.db contain fields that use a BLOB data type to store property list. SafariTabs.db being the newer database, using that as an example.
During initial research, the BLOB from the local_attributes field was initially extracted directly from the SQLite database and introduced to EnCase, then for efficiency using the SQLite BLOB extractor EnScript.
In either instance – a plist needed parsing.
Using the Plist Viewer Plugin as a research tool, viewing the structure exposed an embedded binary plist, SessionState.
Research and examination, initially using an external SQLite viewer and the Plist Viewer Plugin within EnCase, showed reference to web pages that had been browsed in open Safari tabs, even if that open tab is ‘private’. Pretty neat ‘private’ internet related activity that would not have been discovered in the internet history.
This led to the development of EnScripts that automated the process:
- BrowserState.db parser
- SafariTabs.db parser
Illustrated below, output from the SafariTabs.db parser EnScript highlights one of the parsed records where an open Safari tab had been used for private browsing. The parsed content includes that from the binary plist stored as BLOB shown earlier, and the embedded binary plist as seen with the Plist Viewer Plugin in EnCase.
highlighting record #21 and sample parsed information
Due to the increased prevalence of Apple using a BLOB data type to store plists in SQLite databases, the SQLite BLOB Extractor EnScript was updated to automate the parsing of the BLOB as a plist:
The Generic Plist Parser EnScript excels at parsing multiple property lists simultaneously, including functionality to pre-configure with known plists, those which are invaluable to any and every investigation. They can be selected and efficiently parsed at the very beginning of the forensic examination.
As can be seen below, a selection of iOS plists have been custom configured within the Plist Parser. Some artifacts from these may not automatically be parsed by EnCase but is made possible by the excellent support within EnScript. The power is in the hands of the examiner, allowing for full customization and flexibility, especially crucial in the ever-evolving field of mobile device forensics.
EnCase has features and support for an array of mobile devices and artifacts. As has been discussed in this series of blogs, an examiner can go beyond that core functionality and extend the artifact reach. Be that for a new artifact which is pivotal to a forensic examination, or to validate the output from the forensic tool, there are a collection of EnScripts to aid the parsing of the data structures discussed.
The qualified Learning Services EnCase training team have years of experience of EnCase Security products, services and delivering training.
The EnScripts discussed are demonstrated and used during both the DF125 Mobile Device Examinations with EnCase and the DF420 Mac Examinations with EnCase courses. They can be registered for and purchased individually or taken as part of the OpenText Learning Subscription, Security Edition Premium .
