Plists, XML and XPATH – A Series Pt. 4

Greetings from Veenendaal NL! While most of my colleagues from the Amsterdam Police are enjoying SinterKlaas, I thought I would post the next installment in my series on Plists, XML and XPATH.

In this installment we continue to break open the reverse engineering of Alex Caithness’ paper “Property Lists in Digital Forensics”. In our last installment we ended just before looking at the type descriptor byte of our first object.

type_descriptor

Data Type Descriptors

We see that the first byte of our first object is \xD4. Converting this to binary we get the value 1101 0100, which our table tells us is a dictionary. Remember that a dictionary is a collection of key-value pairs. Our table tells us that the second nibble of our byte(4) reveals that the amount of object reference pairs that are present in the dictionary. However, since they are pairs we have to double the amount to get the both the key and the value. The total number of object references in this dictionary are therefore 8. Looking at our bplist file we see that this is indeed true.

Dictionary collection object references

Dictionary collection object references

Since the beginning dictionary for our 0th entry we see that the first object reference after the dictionary is \x01. This refers to the index in the offset table – since the dictionary was found from the 0th index, the first object is found at index #1. The value at the first position is \x00\x11 or decimal 17.

Offset to first object reference of dictionary

Offset to first object reference of dictionary

Going to offset 17 we see that we have \x5f which converted to binary is 0101 1111. Our table indicates that this is a string and the left nibble of the byte “F” tells us that an integer byte follows to give us the length of the string. That byte is \x10 which is 0001 0000 – the data type for an integer. Since 2^0  = 1(remember that length of this data type is 2^nnnn), the length of the data will be read in the next byte – \x0F or 15. Sweeping fifteen bytes after this byte we see that we have the string of  “WebBookmarkType”.

ASCII representation of first object reference

ASCII representation of first object reference

Let’s verify our findings another way. Let’s look at the binary plist decoded into XML to see if our work with the hex is correct. Here we see that the first object is indeed a dictionary and that the first object of the dictionary is a key called “WebBookmarkType”. So far so good!

<?xml version="1.0" encoding="utf-16"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
  <dict>  -> Our first object at the 0th position of the offset table.
    <key>WebBookmarkType</key>  -> The first object of the dictionary collection. This was found at the first 
                                   position of the offset table as indicated by the dictionary object 
                                   reference.

Moving on, the dictionary object reference points to the second index of the offset table.  The value here is \x00\x23. This converts to decimal 35. We find another string – \x5f – at this offset. Reading the next two bytes – \x10 for the integer byte and \x0F for the length (again 15) – we can sweep for our string value, which is in this instance “WebBookmarkUUID”

Second object reference

Second object reference

ASCII Representation of second object reference

ASCII Representation of second object reference

Let’s again check our converted bplist to see if we got it right.

<?xml version="1.0" encoding="utf-16"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
  <dict>
    <key>WebBookmarkType</key>  
    <string>WebBookmarkTypeList</string>
    <key>WebBookmarkUUID</key>

 

Hey wait a second, <string>WebBookmarkTypeList</string> follows “WebBookmarkType”!

No, you haven’t parsed the hex incorrectly. The “value” of the key-value pairs follows in the hex after all the keys have been identified in the order that the keys are identified in the dict object pairs. Don’t believe me? Ok you Philistines, check out the fifth index of the offset table – remember that its zero based so count to five starting at zero. Did you find \x00\x57 (decimal 87)? Good. Now jump back to the bplist and find offset 87 – you should see a \x5f (by now you should guess that its a string). Its followed by integer byte \x10 and then the length by \x13 which converts to decimal 19 for the length of the string in bytes. Now sweep 19 bytes. Did you find “WebBookmarkTypeList”?

Offset to fifth object reference

Offset to fifth object reference

ASCII representation of fifth object reference

ASCII representation of fifth object reference

Recalling the XML conversion of the bplist is “WebBookmarkTypeList” the string value of the key “WebBookmarkType”? You betcha it is!

<?xml version="1.0" encoding="utf-16"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
  <dict>
    <key>WebBookmarkType</key>  
    <string>WebBookmarkTypeList</string>
    <key>WebBookmarkUUID</key>

 

This pattern repeats itself for each of the keys value pairs in the dictionary until it reaches the fourth key. Remember a key can contain as the data type of the element following another collection. This is indeed what we find as the fourth object of the topmost dictionary.

Our examination of the fourth object of the topmost dictionary will start us off on the next installment of our series. Until then, I wish you all the best in your forensic endeavors and a very good SinterKlaas!

References

Apple Inc. (2012) Mac OS X Reference Library, Manual Page for PLIST(5), [Online], Available:https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man5/plist.5.html [October 23 2012]

Caithness, Alex (2010). Property Lists in Digital Forensics, Available:  http://www.cclgroupltd.com/images/property%20lists%20in%20digital%20forensics%20new.pdf, CCL Solutions Group Ltd: Stratford upon-Avon, UK

Eckstein, Robert & Casabianca, Michel(2001). XML Pocket Reference (2nd edition). Sebastopol, CA:O’Reilly and Associates Inc.

Erack Network(2012). Xpath – predicates[Online}, Available:  http://www.tizag.com/xmlTutorial/xpathpredicate.php, [November 1, 2012]

Wikimedia Foundation(2012) Wikipedia: XML[Online], Available: http://en.wikipedia.org/wiki/XML, [October 30, 2012]

World Wide Web Consortium(2012) Extensible Markup Language Tutorial (XML)[Online], Available: http://www.w3schools.com/xml/ [October 24, 2012]

World Wide Web Consortium (2012) Extensible Markup Language (XML) [Online], Available: http://www.w3.org/XML/ [ October 24,  2012]

World Wide Web Consortium(2012) XPATH Tutorial, [Online], Available: http://www.w3schools.com/xpath/default.asp/ [October 28, 2012]

About these ads

Let Me Know Whatcha Think....

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s