If you’ve ever wondered how Apple macOS stores vital information about your system and apps, the answer lies in plist files (Property List). These files serve as a native file format for macOS.
On a Mac, In the ~/Library/Preferences folder, you will find hundreds of these plist files.
Imagine these files as Windows Registry, which holds system and app related information and also used to share information between different apps. When analysing a Mac forensic image, we need to examine these files for important artifacts.
There are essentially two types of plist files on macOS:
- XML format (ASCII)
The XML format based plist files can be read using any web browser or XML reader or simply using any text viewer. - Binary Plist
These are a bit more compact and efficient, but they need macOS or a third-party tool to be understood.
There’s a helpful tool called “plistutil” available on git (GitHub – libimobiledevice/libplist: A library to handle Apple Property List format in binary or XML) and the Ubuntu repository. It’s your translator for these binary messages, converting them into human-readable XML files.
To install plistutil, try the following command
$ sudo apt-get install libplist-utils
To convert a binary plist in to xml format, run the following command
$ plistutil -i source.plist -o dest.plist
Assuming “source.plist” is your binary file, “dest.plist” will pop up as its XML counterpart.
Here is a screenshot of the above command execution:
As we have seen, plistutil has successfully converted binary plist file on to xml format. Not only macOS, iPhone and iPad backups too contains hundreds of plist files which contains important artifacts. If you have any iOS backup, you can analyse it on Linux using several basic command lines and plistutil.
Our analysis tool,NBFTools TRIOS does support analysis of macOS forensic images and iOS backups. TRIOS easily parses these plist files to extract the artifacts and help you in solving forensic cases. For any query, please email us at info@nbftools.com.