Feature request - Plist and binary plist Viewer

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.

Other

936 stars 218 forks source link

Feature request - Plist and binary plist Viewer #1773

Open joao-fernando opened 1 year ago

joao-fernando commented 1 year ago

I was analyzing a macbook pro time machine backup and noticed that IPED doesn't show any information about the OS and the user. Several preferences (MRUs, user info, network info, and many more) on MacOS are saved as plist files (plist, bplist and sometimes sfl2 extensions) but IPED cannot parse them.

These files were all parsed by X-TIKA:Parsed-By: iped.parsers.standard.RawStringParser and a lot of information cannot be read (it's binary).

It would be nice if this kind of parser could be implemented on IPED.

Maybe https://github.com/3breadt/dd-plist can help.

I can provide several files for testing if necessary.

Thanks in advance!

lfcnassif commented 1 year ago

Actually we already have a plist parser since version 4: https://github.com/sepinf-inc/IPED/blob/12a615d2ca60a094cc0daf1ca92eaae593aec64c/iped-app/resources/config/conf/ParserConfig.xml#L26

If you are using version 4, please check if that parser is enabled in your profile.

joao-fernando commented 1 year ago

I'm using version 4.1.3.

The majority of plist files on MacOS are binary plist. They are different from ordinary plist and IPED doesn't parse them. bplist have a different header

lfcnassif commented 1 year ago

Maybe https://github.com/3breadt/dd-plist can help.

We are using exactly this library, through Tika library.

If you are using version 4, please check if that parser is enabled in your profile.

Please check the profile.

I can provide several files for testing if necessary.

That would help a lot, please send them to me privately, thanks.

lfcnassif commented 1 year ago

Please also check how IPED detected those files, check the contentType property. Maybe that is a signature issue and the files aren't being redirected to the correct parser.

joao-fernando commented 1 year ago

The detected contentType is application/x-bplist, so it's correct.

I think I'm talking about parsers when in fact I'd like a preview of the file...

The text tab displays the text content of the bplist file, but the preview is empty. And the file is XML-like, so it would be nice to be able to see the keys and navigate on them.

lfcnassif commented 1 year ago

X-TIKA:Parsed-By: iped.parsers.standard.RawStringParser

Above info says the files were parsed by the wrong parser at first, this needs further investigation.

The text tab displays the text content of the bplist file, but the preview is empty.

Right. We don't have Viewers for all parsed file types, XML is one of them. A XML or Plist Viewer would be an useful new feature for sure.