The information contained within these files is different for each program on the system.
- Stay ahead with the world's most comprehensive technology and business learning platform.!
- hp officejet 6000 wireless driver mac!
- mov to flv converter mac os x!
- Apple Developer Tools - Wikipedia!
Each contains the settings for the program, which calls the plist. Similar to Windows Registry entries, if you change any value set in the file, the program will run differently. It should be noted that plist are not a Mac OS X item. They are actually found within Linux and Unix distributions.
Structure of Property List Plists can take one of three different formats. The most recent, and more common, format one will see is the XML format. This format is more portable then that of the alternatives and can be edited manually where as the other two options are not. Binary formatted plists will perform faster if the plist is a large collection of data.
It is obviously very hard to read in this format. If you were to open this same file in a plist editor one can clearly see the structure of the file better as seen in Figure 2. For more information on Cocoa and Core Foundation, please refer to the links in the reference. Figure 3 below shows a table of the plist types and various representations. File Juicer also has a free trial period that was used for this research paper.
Both programs were fully functional during the trials. Plist Examination Plist as Logs In most cases, data is only written to plists on the initial install of a program or when OS X is first installed. In all other cases plists are written each time a program is run. For the purpose of this paper, the plists that are being looked at are updated each time they are used. We will be looking at plist files related to the following: autorun locations, recent items, wireless networks, mounted devices, Internet history, and installed programs, as they relate to their Mac OS X equivalent locations.
This has a very similar meaning in the Mac world. On a Mac, the location of this information is in the loginitems. An examiner should look at this location to see what programs or applications are of any evidentiary value to the case. For the most part, when someone installs a program on a Windows machine, the program has a default setting of starting on boot.
On the Mac side of installations, this is not as accurate. The loginitems. The MRU is a list of recent programs and files accessed. Multiple lists are created throughout the registry. The sites that have been most recently visited are kept in a list for the user to go back to if needed. This entry holds information about the most frequent programs used by a user. These entries are actually encrypted using the ROT algorithm.
In the Mac environment, these lists are more limited. During the research for this paper, only one location could be found with recently open items. Within the settings for each section, a user can increase or decrease the amount of records that are kept. By default, Mac OS X keeps track of the last Figure 4a below shows an entry into the applications section of the plist.
Figures 4b and 4c show the most recent files opened and hosts connected to, respectively. Although, it can be beneficial for an examiner, if the user has only connected to a select few hosts. The SSID or service set identifier is recorded for all wireless networks that are added to the users preferred network connections. This can include connections to Wi-Fi hotspots at Starbucks or similar hotspots.
This is similar on a Mac.
By using the two of these files together, an examiner can see the last date that the computer was connected to that network by looking at the com. Also, you can see that the security type and password are shown. The password is hashed.
Figure 5a com. In there they will find the corresponding date on an entry to find out more information about the network including: DNS servers, IP address, the interface used wired or wireless , subnet mask, and router IP. Figures 5b-5d show the information. By getting a subpoena, an examiner can get log histories for the owner of the network. On a Mac, this is not true. While a Mac does recorded that a USB device was connected to a machine, it does not record the serial number of that device.
In figure 6a you can see Volumes that were mounted. Figure 6a Volumes Mounted When a user downloads a program on a Mac, a.
This is equivalent to an installed. On the Mac, these files are mounted in order for the user to see the install program. These files are also noted in this plist. Figure 6b shows an example of some. Figure 6b Software DMG's An examiner can use this list to see if software was ever downloaded onto the computer. For example, if an examiner is looking through a Mac to see if any kind of encryption software has been installed, it can be seen here that TrueCrypt was downloaded and mounted at some point.
If the suspect says they have never looked into encryption software, the examiner can prove that they have. With the advancement of technology, criminals are starting to hide information on iPods. With this file, the examiner can verify if an iPod has been connected to that computer. In figure 7 you can see that an iPod has been connected to the computer. If, in a case, a suspect states that they do not have an iPod, this file can show that an iPod has been used.
The connected date shown above, shows the last date the iPod was in use on the suspects computer. The examiner can also prove how many times the iPod has been connected to that computer by the use count variable shown above. On a Mac, Safari has a similar setup. Plists related to browsing history, download history, and cookies, each have their own location.
PLIST File Extension - What is a .plist file and how do I open it?
Website by Brent Cameron Design. Free Trial Online Store. Oops Features unlimited undo support. Playing Favorites Assign keyboard shortcuts to open your favorite property list files. Key Features Full keyboard navigation: edit your property lists without ever having to touch the mouse. Preferential Treatment Easily tweak your preferences files using the built-in preference browser.