I apologize. I didn’t mention in my post on Windows 8 64 bit that I was running PA/XRY in a virtual machine. Nor did I mention that my 32 bit XP box (in which XRY/PA worked just fine) was also a VM.

I apologize as well that I failed to follow up yesterday and post that I successfully installed Windows 7 ultimate 64 bit in a VM and got both PA XRY Complete to run just fine.

As Jansen Cohoon of Micro Systemation pointed out to me on Twitter he has Win 8 64 bit and XRY working fine on a dedicated Windows box.

I should have been more explicit in my post and mentioned the VMs. I should have followed up. I also should have been more scientific in my trouble shooting.

I got frustrated and ran out of time for my testing….but that’s a cop out. I owe it to you all to be more thorough.

So I’ll test it all again on the VM and again test it on some dedicated boxes when I can get my hands on them (they are being used in a course).

Thank you to those who pointed out my mistakes. I’d like to hear from people if they are also having problems using Win 8 in a VM. I know a lot of us use VMs for forensics. Perhaps my host needs some more TLC!

To recap :

• I was using a 64 bit Win 8 VM when I couldn’t get XRY/PA to work.
• My 32 bit XP VM runs PA and XRY just fine
• My 64 bit Win 7 VM runs XRY and PA without a hitch
• Test and validate!

Sincerely,

Mike

P.S. Always follow your own advice

“But Mike,” you say concerned, “Whatever do you mean? How can I help?”

Thanks for the offer but there is nothing you can do – unless of course you have a Delorian and a Flux Capacitor.

You see, I foolishly tried to install a copy of Windows 8 64 bit as my OS to use with Cellebrite’s Physical Analyzer and MSAB’s XRY Complete. And I got…bubkes.

Oh the software seemed to run right, yes indeedy. But the dongles wouldn’t work. Neither WIBU or HASP.

“Mike, did you check to see if Win 8 was supported by Cellebrite or MSAB?”

Grrr…No.

I thought I’d give it a shot. I wanted it to work. I figured as long as I was updating my wheezy XP box, I’d go to the latest OS….

…and I got burned. No soup for me.

Ahh, well at least I’m a good example. Three things though

1. Dongle vendors UPDATE YOUR DRIVERS

2. DON’T TRY TO USE WIN 8 for PA or XRY (yet!)

3. Don’t be like me – RTFM!

Have a good one

Its time to settle this with a poll. So, what do you think?

In this installment we continue to break open the reverse engineering of Alex Caithness’ paper “Property Lists in Digital Forensics”. In our last installment we ended just before looking at the type descriptor byte of our first object.

Data Type Descriptors

We see that the first byte of our first object is \xD4. Converting this to binary we get the value 1101 0100, which our table tells us is a dictionary. Remember that a dictionary is a collection of key-value pairs. Our table tells us that the second nibble of our byte(4) reveals that the amount of object reference pairs that are present in the dictionary. However, since they are pairs we have to double the amount to get the both the key and the value. The total number of object references in this dictionary are therefore 8. Looking at our bplist file we see that this is indeed true.

Dictionary collection object references

Since the beginning dictionary for our 0^th entry we see that the first object reference after the dictionary is \x01. This refers to the index in the offset table – since the dictionary was found from the 0^th index, the first object is found at index #1. The value at the first position is \x00\x11 or decimal 17.

Offset to first object reference of dictionary

Going to offset 17 we see that we have \x5f which converted to binary is 0101 1111. Our table indicates that this is a string and the left nibble of the byte “F” tells us that an integer byte follows to give us the length of the string. That byte is \x10 which is 0001 0000 – the data type for an integer. Since 2^0  = 1(remember that length of this data type is 2^nnnn), the length of the data will be read in the next byte – \x0F or 15. Sweeping fifteen bytes after this byte we see that we have the string of  “WebBookmarkType”.

ASCII representation of first object reference

Let’s verify our findings another way. Let’s look at the binary plist decoded into XML to see if our work with the hex is correct. Here we see that the first object is indeed a dictionary and that the first object of the dictionary is a key called “WebBookmarkType”. So far so good!

<?xml version="1.0" encoding="utf-16"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
  <dict>  -> Our first object at the 0th position of the offset table.
    <key>WebBookmarkType</key>  -> The first object of the dictionary collection. This was found at the first 
                                   position of the offset table as indicated by the dictionary object 
                                   reference.

Moving on, the dictionary object reference points to the second index of the offset table.  The value here is \x00\x23. This converts to decimal 35. We find another string – \x5f – at this offset. Reading the next two bytes – \x10 for the integer byte and \x0F for the length (again 15) – we can sweep for our string value, which is in this instance “WebBookmarkUUID”

Second object reference

ASCII Representation of second object reference

Let’s again check our converted bplist to see if we got it right.

<?xml version="1.0" encoding="utf-16"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
  <dict>
    <key>WebBookmarkType</key>  
    <string>WebBookmarkTypeList</string>
    <key>WebBookmarkUUID</key>

Hey wait a second, <string>WebBookmarkTypeList</string> follows “WebBookmarkType”!

No, you haven’t parsed the hex incorrectly. The “value” of the key-value pairs follows in the hex after all the keys have been identified in the order that the keys are identified in the dict object pairs. Don’t believe me? Ok you Philistines, check out the fifth index of the offset table – remember that its zero based so count to five starting at zero. Did you find \x00\x57 (decimal 87)? Good. Now jump back to the bplist and find offset 87 – you should see a \x5f (by now you should guess that its a string). Its followed by integer byte \x10 and then the length by \x13 which converts to decimal 19 for the length of the string in bytes. Now sweep 19 bytes. Did you find “WebBookmarkTypeList”?

Offset to fifth object reference

ASCII representation of fifth object reference

Recalling the XML conversion of the bplist is “WebBookmarkTypeList” the string value of the key “WebBookmarkType”? You betcha it is!

<?xml version="1.0" encoding="utf-16"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
  <dict>
    <key>WebBookmarkType</key>  
    <string>WebBookmarkTypeList</string>
    <key>WebBookmarkUUID</key>

This pattern repeats itself for each of the keys value pairs in the dictionary until it reaches the fourth key. Remember a key can contain as the data type of the element following another collection. This is indeed what we find as the fourth object of the topmost dictionary.

Our examination of the fourth object of the topmost dictionary will start us off on the next installment of our series. Until then, I wish you all the best in your forensic endeavors and a very good SinterKlaas!

References

Apple Inc. (2012) Mac OS X Reference Library, Manual Page for PLIST(5), [Online], Available:https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man5/plist.5.html [October 23 2012]

Caithness, Alex (2010). Property Lists in Digital Forensics, Available:  http://www.cclgroupltd.com/images/property%20lists%20in%20digital%20forensics%20new.pdf, CCL Solutions Group Ltd: Stratford upon-Avon, UK

Eckstein, Robert & Casabianca, Michel(2001). XML Pocket Reference (2^nd edition). Sebastopol, CA:O’Reilly and Associates Inc.

Erack Network(2012). Xpath – predicates[Online}, Available:  http://www.tizag.com/xmlTutorial/xpathpredicate.php, [November 1, 2012]

Wikimedia Foundation(2012) Wikipedia: XML[Online], Available: http://en.wikipedia.org/wiki/XML, [October 30, 2012]

World Wide Web Consortium(2012) Extensible Markup Language Tutorial (XML)[Online], Available: http://www.w3schools.com/xml/ [October 24, 2012]

World Wide Web Consortium (2012) Extensible Markup Language (XML) [Online], Available: http://www.w3.org/XML/ [ October 24,  2012]

World Wide Web Consortium(2012) XPATH Tutorial, [Online], Available: http://www.w3schools.com/xpath/default.asp/ [October 28, 2012]

I will be concentrating on binary plists as this is the most common format encountered in iOS and will be using as a launch point the excellent paper ” Property Lists in Digital Forensics “by CCL Forensics’ Alex Caithness (you can find a link to the paper at the end of this post). My aim in the next few posts is to illuminate Caithness’ work and break it open in the hopes that it will be understandable to a wider audience.

I have to confess the motivation behind this was slightly selfish. I myself had some trouble following the work and once I had “cracked the code” so to speak, thought it might be useful for others to benefit from a more in-depth discussion of Alex’s work.

So without further fanfare – here is part three , that which concerns binary plists.

Binary Plists

Caithness points out in “Property Lists in Digital Forensics” that the binary plist is constructed of four distinct parts (Caithness, p 4). Further more he describes them in the order that he presents as the way to read the file for interpretation. I summarize his findings below.

The file starts out with a recognizable header. This header comprises the first eight bytes of the file and is the ASCII String “bplist00” (\x62\x70\x6C\x69\x73\x74\x30\x30) – which is the file format and the version.

The trailer of the file consists of the final 32 bytes. It contains data that is needed to read the file properly. The trailer will be discussed in detail later as we traverse a binary plist and read it.

The offset table – which will also be discussed later – is a table that contains the offsets – or locations within the file, which point to objects in the object table – meaning the data of the file.

The final part of the file as was mentioned above is the object table. This is the “meat” of the file, which contains the binary encoded data of each object or element in the plist. Like the trailer and offset table we will deal with the unique features of objects in a following section.

We will be using the bookmarks.plist file that is located here .

Finding the trailer on an existing plist is relatively straightforward. Since we know that the trailer is 32 bytes in length (Caithness p.4)- we can sweep the bytes from the end of the file until we reach a count of 32.

Location of Binary Plist Trailer

Now that I have located the trailer I like to copy and paste the selection into a new hex file so I can refer to its offsets in a separate window and do not have to keep moving back and forth in the file as is seen in the next image.

Binary Plist Trailer in separate file

We are now set to parse the trailer to locate its key elements and find the location of the offset table of the plist which will enable us to parse the the objects contained in the rest of the file.

The below table is a key to parsing out the file – this has been adapted from Alex Caithness’ table found on page 4 of “Property Lists in Digital Forensics”.

Binary plist trailer data

Now we will begin figuring out the parts of the trailer to read the rest of the file. I recommend recording the values on a sheet or in a file for easy reference.

• Read the offset to the offset table. Out table above tells us the location of the object offset table occurs at the 24^th offset in our trailer and runs for a length of eight bytes. Using our trailer that we copied out of the binary plist file (again this is supplied – link -) we can see that from offset 24 and running eight bytes we get the value of \x02\x89. This is decimal 649.

Offset to Offset Table

• Calculate the length of the offset table.  The length of the table is obtained by taking the “Size of integers” value located at offset six of the trailer and the number of the objects in the file located at offset eight in the file and running for eight bytes and multiplying the decimal values of these bytes to arrive at the length of the table.

Length of the Offset Table

• Find the offset table and block it off. Going to offset 649 – or \x0289 – sweep from that offset for 58 bytes. Then copy those values into a separate hex file for reading.

Location of Offset Table

Offset table

Our next step entails reading the offset table to find the location of our objects or data. We know that the offset table is a zero based index of the objects in the file, ie. The first object is the 0^th entry on the offset table, and the size of the offsets (encoded big endian) from the value at offset six of the trailer(\x02). Now we can look at the offset table and find the location of the first object in the object table. This will occur immediately after the file header(“bplist00”).

We see from the below that this is indeed the case as the offset table indicates the first object occurs at \x00\x08.

Size of integers, location of first object and first object data type

The offset table will be read again and again as we go through the objects of the file. Now we must turn our attention to interpreting the objects that are found at each offset that is specified in the offset table.

We have just found our first object at offset 8 in the bplist. The first byte of the object is known as a type-descriptor byte (Caithness p 5) and will hold the clue on how to read and interpret the object.

Reading and interpreting this first object will start us off on the next installment of our Plist, XML and XPATH Series. Until then, I hope that this series is proving informative in your forensic endeavors. I look forward to seeing you next week.

References

Apple Inc. (2012) Mac OS X Reference Library, Manual Page for PLIST(5), [Online], Available:https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man5/plist.5.html [October 23 2012]

Caithness, Alex (2010). Property Lists in Digital Forensics, Available:  http://www.cclgroupltd.com/images/property%20lists%20in%20digital%20forensics%20new.pdf, CCL Solutions Group Ltd: Stratford upon-Avon, UK

Eckstein, Robert & Casabianca, Michel(2001). XML Pocket Reference (2^nd edition). Sebastopol, CA:O’Reilly and Associates Inc.

Erack Network(2012). Xpath – predicates[Online}, Available:  http://www.tizag.com/xmlTutorial/xpathpredicate.php, [November 1, 2012]

Wikimedia Foundation(2012) Wikipedia: XML[Online], Available: http://en.wikipedia.org/wiki/XML, [October 30, 2012]

World Wide Web Consortium(2012) Extensible Markup Language Tutorial (XML)[Online], Available: http://www.w3schools.com/xml/ [October 24, 2012]

World Wide Web Consortium (2012) Extensible Markup Language (XML) [Online], Available: http://www.w3.org/XML/ [ October 24,  2012]

World Wide Web Consortium(2012) XPATH Tutorial, [Online], Available: http://www.w3schools.com/xpath/default.asp/ [October 28, 2012]

Special XML Markups and Syntax Rules

When discussing XML basics we should also cover some special markup constructs that you may encounter.

<?xml…?> – As we have seen in the previous section, this is the XML declaration and can take attributes such as encoding or version

<!-…-> – This construct is for used for comments and anything occurring inside this construct is ignored.

- We have seen this before in DTD. This allows for the specification of the DTD. It takes two forms in general –  SYSTEM, which specifies the URI of a DTD for private use as in http://www.mygreatsite.com/dtd/mydoc.dtd”>, or PUBLIC. PUBLIC is used when the DTD has been publicized for widespread usage. We have seen a use of thePUBLIC specification in the Apple DTD above.

Finally we will conclude looking at XML with the rules for well formed XML

• All element attributes must have quotation marks
• All elements must have a closing tag
• XML tags are case sensitive
• XML elements must be properly nested

               Example incorrect - <b><i>This text is bold and italic</b></i>
               Example correct - <b><i>This text is bold and italic</i></b>

• XML Documents must have a root element (we will cover this in the next section)
• White space is preserved in XML
• XML stores a new line as a line feed

Tree Structure

XML documents must have a root element. The root element is considered the “parent” of all other elements. The elements form a tree that starts at the root element and branches out to the lowest level of the tree.

All the elements in the XML documents can have sub-elements

<root>
    <child>
       <subchild>.....</subchild>
    </child>
</root>

Let’s look at an example

Figure One: Example XML Tree

In the previous example, our root element is <bookstore>. Any <book> elements reside inside of the <bookstore> element. Looking at our <book> element we see that it has four children – <title>, <author>, <year> and <price>.

Notice in the screen capture that the root element (<bookstore> is called the “parent” as we stated before, the next element <book> is called the child and the children elements of <book> are called “siblings”. These concepts are important, as they will be discussed in our short introduction to XPATH – a language that can be used to find information in an XML document.

I hope this installment was useful to you in your forensic endeavors and research. Check back next week for the third installment.

References

Apple Inc. (2012) Mac OS X Reference Library, Manual Page for PLIST(5), [Online], Available:https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man5/plist.5.html [October 23 2012]

Caithness, Alex (2010). Property Lists in Digital Forensics, Available:  http://www.cclgroupltd.com/images/property%20lists%20in%20digital%20forensics%20new.pdf, CCL Solutions Group Ltd: Stratford upon-Avon, UK

Eckstein, Robert & Casabianca, Michel(2001). XML Pocket Reference (2^nd edition). Sebastopol, CA:O’Reilly and Associates Inc.

Erack Network(2012). Xpath – predicates[Online}, Available:  http://www.tizag.com/xmlTutorial/xpathpredicate.php, [November 1, 2012]

Wikimedia Foundation(2012) Wikipedia: XML[Online], Available: http://en.wikipedia.org/wiki/XML, [October 30, 2012]

World Wide Web Consortium(2012) Extensible Markup Language Tutorial (XML)[Online], Available: http://www.w3schools.com/xml/ [October 24, 2012]

World Wide Web Consortium (2012) Extensible Markup Language (XML) [Online], Available: http://www.w3.org/XML/ [ October 24,  2012]

World Wide Web Consortium(2012) XPATH Tutorial, [Online], Available: http://www.w3schools.com/xpath/default.asp/ [October 28, 2012]

Well, I hope with this series to change that omission. At the end of the series, I’ll provide a link to all the posts gathered into one paper. Now without further ado, here is the first of the series on Plists, XML and XPATH.

What is XML?

Although the term XML is thrown around in forensic classes and seen as an option in for analysis output in many of the major forensic tools, how many examiners understand how XML is constructed and the rules that apply to it? As it turns out, XML isn’t all that hard to understand and having a grasp on how it’s used to store data is useful to understanding Plists and other files stored on digital devices – such as current.gpx on Garmin GPS units – which use the XML format.
Let’s look at the building blocks that make up XML and some of the rules that govern them.

Definition of XML

First, let’s define the term XML. XML stands for Extensible Markup Language. This language is an official recommendation of the World Wide Web Consortium (W3C). XML is a metalanguage that allows for the creation and formatting of documents; it is in common use on the Internet and the default of many office productivity suites including Microsoft Office and Apple iWork.

XML Terminology

Next, let’s discuss some terminology used in XML so we can understand when these terms are used in later discussions when we are looking at and reading plists. This is by no means all the terminology that is used in XML; rather these terms are covered here in order to give an examiner a working knowledge of items that may be encountered when working on XML formatted evidence.

Elements – XML is made up of one or more elements. Elements consist of two tags – an opening tag, which is the name of the tag delimited by a less-than sign (“”), and a closing tag, which is the same as the opening tag except that there is a forward slash (“/“) before the element name. An example of an element is MAC Address . The text inside the two tags is considered part of that element and is processed per the element’s rules.
Attribute – An element can have an attribute that serves to modify or refine the default meaning of the elements. Attributes can also be applied to empty elements which are used to provide non-texual content or give additional information to the application that is parsing through the XML. Here is an example of a picture element with the src attribute: . This could also be displayed as a short hand because the element is empty.
Declaration – Most XML documents begin by declaring information about themselves for a processing program as in the following example: . This would tell a parsing program that the XML document uses the Version 1.0 format and optimized for UTF-16 unicode encoding.
Document Type Definition (DTD) – This is an external file that specifies the rules for how all the elements, attributes and other data are defined and related. Below is Apple’s DTD for plists (also located at http://www.apple.com/DTDs/PropertyList-1.0.dtd)

Apple’s Plist DTD

Root Element - This is the outermost element to which the DTD applies and is usually the start and end points of the document. An example for a plist would be .
CDATA – This stands for “character data.” Anything that occurs after a CDATA section is not to be marked up and is treated as plain text.
PCDATA – This stands for “parsed character data” and means that any character data that is not an element can appear between the tags. In the above Apple DTD, means that any characters such as “WebbookmarkType” can show up between the key element tags but not another tag such as .

Keep checking back for regular updates to this series.

We are currently teaching the course in Veenendaal NL at Data Expert to groups from the Dutch Police. During the four classes Gary and I have been co-teaching he has developed a Perl script to reverse engineer and study SQLite records.

In its current iteration the parser will accept any binary file and scan it assuming it contains sqlite records. This means you can carve out sections of unallocated space containing possible SQLite record fragments and reverse engineer the structure. This is helpful for decoding orphan records.

The file is invoked as per the graphic below

You can download the perl script here-

http://www.box.com//static/flash/box_explorer.swf?widget_hash=03a008b39edbc68a093c&v=0&cl=0&s=0

I hope this helps you in your forensic quests.

M

Android defeated by JTAG

Way to go Bob and Co., thanks for sharing!