If you’ve ever wondered how Apple macOS stores vital information about your system and apps, the answer lies in plist files (Property List). These files serve as a native file format for macOS.
On a Mac, In the ~/Library/Preferences folder, you will find hundreds of these plist files.
Imagine these files as Windows Registry, which holds system and app related information and also used to share information between different apps. When analysing a Mac forensic image, we need to examine these files for important artifacts.
There are essentially two types of plist files on macOS:
XML format (ASCII) The XML format based plist files can be read using any web browser or XML reader or simply using any text viewer.
Binary Plist These are a bit more compact and efficient, but they need macOS or a third-party tool to be understood.
To convert a binary plist in to xml format, run the following command
$ plistutil -i source.plist -o dest.plist
Assuming “source.plist” is your binary file, “dest.plist” will pop up as its XML counterpart.
Here is a screenshot of the above command execution:
As we have seen, plistutil has successfully converted binary plist file on to xml format. Not only macOS, iPhone and iPad backups too contains hundreds of plist files which contains important artifacts. If you have any iOS backup, you can analyse it on Linux using several basic command lines and plistutil.
Our analysis tool,NBFTools TRIOS does support analysis of macOS forensic images and iOS backups. TRIOS easily parses these plist files to extract the artifacts and help you in solving forensic cases. For any query, please email us at info@nbftools.com.