Plists, XML and XPATH – A Series Pt. 2

Here is the second installment of the series that came out of my research into Plists. I should have placed a references section at the end of the first post – I apologize for not including that. It will appear at the end of this post and all subsequent ones as well. Without further ado, here is part two in which we continue our brief overview of XML.

Special XML Markups and Syntax Rules

When discussing XML basics we should also cover some special markup constructs that you may encounter.

<?xml…?> – As we have seen in the previous section, this is the XML declaration and can take attributes such as encoding or version

<!-…-> – This construct is for used for comments and anything occurring inside this construct is ignored.

– We have seen this before in DTD. This allows for the specification of the DTD. It takes two forms in general –  SYSTEM, which specifies the URI of a DTD for private use as in”>, or PUBLIC. PUBLIC is used when the DTD has been publicized for widespread usage. We have seen a use of thePUBLIC specification in the Apple DTD above.

Finally we will conclude looking at XML with the rules for well formed XML

  • All element attributes must have quotation marks
  • All elements must have a closing tag
  • XML tags are case sensitive
  • XML elements must be properly nested
               Example incorrect - <b><i>This text is bold and italic</b></i>
               Example correct - <b><i>This text is bold and italic</i></b>
  • XML Documents must have a root element (we will cover this in the next section)
  • White space is preserved in XML
  • XML stores a new line as a line feed

Tree Structure

XML documents must have a root element. The root element is considered the “parent” of all other elements. The elements form a tree that starts at the root element and branches out to the lowest level of the tree.

All the elements in the XML documents can have sub-elements


Let’s look at an example

Example XML Tree

Figure One: Example XML Tree

In the previous example, our root element is <bookstore>. Any <book> elements reside inside of the <bookstore> element. Looking at our <book> element we see that it has four children – <title>, <author>, <year> and <price>.

Notice in the screen capture that the root element (<bookstore> is called the “parent” as we stated before, the next element <book> is called the child and the children elements of <book> are called “siblings”. These concepts are important, as they will be discussed in our short introduction to XPATH – a language that can be used to find information in an XML document.

I hope this installment was useful to you in your forensic endeavors and research. Check back next week for the third installment.


Apple Inc. (2012) Mac OS X Reference Library, Manual Page for PLIST(5), [Online], Available: [October 23 2012]

Caithness, Alex (2010). Property Lists in Digital Forensics, Available:, CCL Solutions Group Ltd: Stratford upon-Avon, UK

Eckstein, Robert & Casabianca, Michel(2001). XML Pocket Reference (2nd edition). Sebastopol, CA:O’Reilly and Associates Inc.

Erack Network(2012). Xpath – predicates[Online}, Available:, [November 1, 2012]

Wikimedia Foundation(2012) Wikipedia: XML[Online], Available:, [October 30, 2012]

World Wide Web Consortium(2012) Extensible Markup Language Tutorial (XML)[Online], Available: [October 24, 2012]

World Wide Web Consortium (2012) Extensible Markup Language (XML) [Online], Available: [ October 24,  2012]

World Wide Web Consortium(2012) XPATH Tutorial, [Online], Available: [October 28, 2012]