Category: R and D

How to Use Indexing in Searches with Forensic Explorer in Three Easy Steps

Index Searches with Forensic Explorer

 

I’ve been around the block a few times over the years with digital forensic tools. I’ve used all the major computer forensic tools and apps like XRY and Cellebrite for mobile forensics.

So I mean it when I say that Forensic Explorer may be the best-kept secret in digital forensics. Seriously.

The fully featured suite of tools, packs all the punch of much higher priced tools on the market for less than a third of the price(HUGE).

And it’s easier to use, which is good for an old forensic monkey like…um… me.

One of the powerful features built into Forensic Explorer is index searching – I know that indexing has been a lifesaver for me before on cases. In this short how-to, I will show to create an index in your case in Forensic Explorer to quickly search for keywords. I hope that you will find the indexing feature as helpful in casework as I have.

Before we begin however you may be wondering – “What’s an Index?”.

That’s a fair question.

An index is like a database of text strings extracted from files or space on an evidence image. Forensic Explorer leverages the well-known and respected DTSearch engine to create and search such indexes.

Now that you have a basic understanding of what an index is, let’s move on to the three steps to using the Index Search module in Forensic Explorer: Setup, Create and Search.

 STEP ONE – SETUP

Creating an index in Forensic Explorer is a simple affair but – as in most things in life – there are some things to take into consideration prior to creating an index for searching.

The first thing you may wish to do is to head over to the DTSearch site – http://bit.ly/1tkFJTt – and take a quick look at the files that DT Search indexes. There is a better than average chance that most of what you are looking to index is located here. While this step is not necessary, it might be useful for understanding how the engine works and what to expect from using it.

Forensic Explorer stores the indexes it creates at

C:\Program Files\Forensic Explorer %vX%\Cases\%case name%\DTSearchIndexes\index name\

Where %vX% is the version number and %case name% is the name that you have assigned the case. The indexes created are approximately one fourth of the size of the original files indexed but there is a wide index size variance possible depending on the size and amount of files in the index. Examiners should make sure there is plenty of storage room on the examination medium for indexes.

There are some words so common that the software will treat them as “noise”. Words such as “of and “the” in the English language would fall into this category. Forensic Explorer does not index and ignores noise words. The so-called “noise” words are stored in a file called “noise.dat” located at – in Windows 8.1 – C:\Program Files (x86)\GetData\Forensic Explorer %vX%\.

Other versions of Windows will store the noise.dat file in “Program Files\Get Data\Forensic Explorer” in the appropriate version number.

The noise.dat file is a plain text file editable with any text editor like notepad. The words are not in any order and wildcards such as “*” or “?” may be used. For an explanation of wildcards see the Webopedia entry at http://bit.ly/1oSFv6i or Google “wildcard in programming”.

Once an examiner has created an index, Forensic Explorer stores a noise.dat file for that index. Changes to the original will not affect the created index – only subsequently created ones.

As a final consideration before creating an index, the examiner may want to perform basic recovery functions against the evidence such as recovering folders, file carving, decrypting files or uncompressing archives that DT Search does not automatically support. The purpose in doing such actions is to allow Forensic Explorer to see the data as files and aid the engine in indexing.

 STEP TWO – CREATE

You have two options when you create an index in Forensic Explorer – index individual checked files in the File System, Email and Registry modules or index the entire case.

To search individually checked files in the File System, Email and Registry Modules switch to the appropriate modules and select the files you want indexed and then go to the Index Search module.

Once in the Index Search Module regardless of searching individual files or the entire case click on the “New Index” button which will bring up the new index window dialog as shown below.

 

New Index

Creating a new index

 

You will need to name the index. Make sure to make it a name that is descriptive of the search task you are trying to perform such as “Bunny Lebowski Hits”. In the items to index section, you will need to select which module you wish to search. This will be the aforementioned File System, Email or Registry modules.

You will now need to select the second radio button labeled “Checked Items”. This should not read “0 items, 0 bytes”. If it does, double check that you are 1) On the right module that has the files you wish to index and 2) You have items checked for indexing in that module. Finally If selecting individual files for indexing, make sure you check the box to include “Raw Devices, Partitions and Files”.

 

Index Checked Items

Index Checked Items

 

If you are indexing the entire case, go to the Index Search module and keep the selection on the File System module. Remember that the “searchable items” is all the data that Forensic Explorer sees as files – hence the reason why you may wish to perform data recovery and carving functions prior to creating an index.

There is the option for indexing unallocated space when indexing the entire case. Simply check the box to enable this option. If you don’t know what unallocated space is, go to the Center for Computer Forensics at http://bit.ly/1kprEkK for a detailed explanation.

For me indexing unallocated space while time consuming on the front end is a huge help. In the past, I’ve used regular expressions to search these areas and while these are extremely effective, they are nowhere near as fast as searching an index.

 

Indexing an Entire Case

Indexing an Entire Case

 

Whether you are indexing a selection of files or the entire case, you also have the option of having file slack indexed via the additional options checkbox. Again, for an explanation of file slack see the Center For Computer Forensics at http://bit.ly/1jDUQpx.

After making sure you are indexing what you want, press the “Ok” button and Forensic Explorer will begin to create the index. FEX will show you its running the index creation task both in the indexes window and in the process list in the bottom left of the program.

 

Running index

Running Index

 

Index Process Running

Index Process Running

Once Forensic Explorer has finished creating the index, they are available for searching in the index window.

 

Finished Index

Finished Indexes

 

 STEP THREE – SEARCH

To search an index check the box next the index you want to search. Now enter in the word that you want to search the index for in the text box next to the search button.

Forensic Explorer will begin to automagically fill in search hits. Forensic Explorer will display the word in the index, the number of times the word occurred in the index – called the “Word Count” – and the number of times the word occurs in a document called “Doc Count”.

Basic Index Search

Basic Index Search

 

To see the results of the search, double click on the word in the results window for further analysis. Forensic Explorer will then display the results in the Index Results pane. To explore the hits further select a hit from the results pane. Forensic Explorer shows the selection highlighted in yellow in the Search Hits pane below the index results pane.

 

Search Hits

Search Hits

 

That’s it! Easy huh? From the Search Hits pane, you can look through more hits or bookmark interesting results.

SEARCH TIPS

The last thing I want to cover are some tips to aid you in searching the index you have created. I’ve used each of these – and combinations of these – in my casework with Forensic Explorer and I hope you can make good use of them too.

In the Search Hits pane, you can scroll through the highlighted hits by clicking on the marker arrows displayed in the upper left of the pane.

 

Search Scroll

Search Marker Arrows

 

Forensic Explorer also has three options for searching an index that can be chosen by selecting the option located below the search box. The options are as follows.

Stemming

This option searches for other grammatical forms of the word for which you have chosen to search the index. For instance, a search of “lift” with the stemming option applied would also find “lifting”. Custom stemming rules can be formatting by editing the stemming.dat file located at “C:\Program Files (x86)\GetData\Forensic Explorer %vX%”. You may also find more information on stemming on the DTSearch site at http://bit.ly/1lRlfwT.

Phonetic Searching

This option when selected searches for words that sound similar to the one searched for – for instance a search of “plane” with the phonetic search option selected will also find “plain”.

Fuzzy Search

This option accounts for typographical and scanning errors.

 All of these options are not exclusive and can be stacked to include all options while searching.

Boolean Searches

Within the text search box Forensic Explorer allows for Boolean – see http://bit.ly/RV2cc0 – expressions in searching indexes. Forensic Explorer allows this type of index search to connect words or phrases. For instance, a search of “Carlos and package” requires that both words be present for there to be an index hit. For more information on how to use a boolean search with Forensic Explorer go to the DTSearch site at http://bit.ly/1mZpWaX .

Wild Cards

Finally, you can use the following wildcards in your index searches.

 

*         to search for any number of characters

?         to search for any single character

=         to search for any single digit

 

The wildcards can be used anywhere in the word being searched. For instance using the “*” after “kill” would match “kills”, “killed” or “killing”. For more information on wildcards and how to use them in Forensic Explorer go to the DTSearch site at http://bit.ly/1mZpWaX/.

In this article, I showed you how to create an index within a case in Forensic Explorer to quickly search for keywords using three easy steps. Along the way, we looked at advanced index search options like stemming and wildcards.

Forensic Explorer is an amazing new tool that with its full forensic suite and affordable price I have made my go-to Windows forensic application. Don’t miss out on this amazing new tool. If you haven’t already tried it out go and grab an evaluation copy at http://bit.ly/1oH1Xgr.

I hope you found this short how-to useful. If you did, drop me a line at linuxchimp-at-gmail-dot-com and let me know. I’d love to share some more reviews of FEX features and how-to’s for everyone.

I wish everyone the best in their forensic endeavours!

 

Photo Credit: _Untitled-1 via photopin cc

Mea Culpa – mobile forensics & 64 bit does work…

Dear Reader –

I apologize. I didn’t mention in my post on Windows 8 64 bit that I was running PA/XRY in a virtual machine. Nor did I mention that my 32 bit XP box (in which XRY/PA worked just fine) was also a VM.

I apologize as well that I failed to follow up yesterday and post that I successfully installed Windows 7 ultimate 64 bit in a VM and got both PA XRY Complete to run just fine.

As Jansen Cohoon of Micro Systemation pointed out to me on Twitter he has Win 8 64 bit and XRY working fine on a dedicated Windows box.

I should have been more explicit in my post and mentioned the VMs. I should have followed up. I also should have been more scientific in my trouble shooting.

I got frustrated and ran out of time for my testing….but that’s a cop out. I owe it to you all to be more thorough.

So I’ll test it all again on the VM and again test it on some dedicated boxes when I can get my hands on them (they are being used in a course).

Thank you to those who pointed out my mistakes. I’d like to hear from people if they are also having problems using Win 8 in a VM. I know a lot of us use VMs for forensics. Perhaps my host needs some more TLC!

To recap :

  • I was using a 64 bit Win 8 VM when I couldn’t get XRY/PA to work.
  • My 32 bit XP VM runs PA and XRY just fine
  • My 64 bit Win 7 VM runs XRY and PA without a hitch
  • Test and validate!

Sincerely,

Mike

P.S. Always follow your own advice 😉

Win 8 64 Bit? No can do!

Well, I just wasted hours of my life that I’ll never get back.

“But Mike,” you say concerned, “Whatever do you mean? How can I help?”

Thanks for the offer but there is nothing you can do – unless of course you have a Delorian and a Flux Capacitor.

You see, I foolishly tried to install a copy of Windows 8 64 bit as my OS to use with Cellebrite’s Physical Analyzer and MSAB’s XRY Complete. And I got…bubkes.

Oh the software seemed to run right, yes indeedy. But the dongles wouldn’t work. Neither WIBU or HASP.

“Mike, did you check to see if Win 8 was supported by Cellebrite or MSAB?”

Grrr…No.

I thought I’d give it a shot. I wanted it to work. I figured as long as I was updating my wheezy XP box, I’d go to the latest OS….

…and I got burned. No soup for me.

Ahh, well at least I’m a good example. Three things though

1. Dongle vendors UPDATE YOUR DRIVERS

2. DON’T TRY TO USE WIN 8 for PA or XRY (yet!)

3. Don’t be like me – RTFM!

Have a good one 😉

Has RIM gasped its last?

I was just in the Netherlands – and I got to enjoy SinterKlaas! – and the police there are still very interested in Blackberry investigations. In fact, I think this is true for the UK and Europe. But here in the States we seemed to have moved on  – and I’m so sick of the pundits who are making their living pontificating on BlackBerry 10.

Its time to settle this with a poll. So, what do you think?

Plists, XML and XPATH – A Series Pt. 4

Greetings from Veenendaal NL! While most of my colleagues from the Amsterdam Police are enjoying SinterKlaas, I thought I would post the next installment in my series on Plists, XML and XPATH.

In this installment we continue to break open the reverse engineering of Alex Caithness’ paper “Property Lists in Digital Forensics”. In our last installment we ended just before looking at the type descriptor byte of our first object.

type_descriptor

Data Type Descriptors

We see that the first byte of our first object is \xD4. Converting this to binary we get the value 1101 0100, which our table tells us is a dictionary. Remember that a dictionary is a collection of key-value pairs. Our table tells us that the second nibble of our byte(4) reveals that the amount of object reference pairs that are present in the dictionary. However, since they are pairs we have to double the amount to get the both the key and the value. The total number of object references in this dictionary are therefore 8. Looking at our bplist file we see that this is indeed true.

Dictionary collection object references

Dictionary collection object references

Since the beginning dictionary for our 0th entry we see that the first object reference after the dictionary is \x01. This refers to the index in the offset table – since the dictionary was found from the 0th index, the first object is found at index #1. The value at the first position is \x00\x11 or decimal 17.

Offset to first object reference of dictionary

Offset to first object reference of dictionary

Going to offset 17 we see that we have \x5f which converted to binary is 0101 1111. Our table indicates that this is a string and the left nibble of the byte “F” tells us that an integer byte follows to give us the length of the string. That byte is \x10 which is 0001 0000 – the data type for an integer. Since 2^0  = 1(remember that length of this data type is 2^nnnn), the length of the data will be read in the next byte – \x0F or 15. Sweeping fifteen bytes after this byte we see that we have the string of  “WebBookmarkType”.

ASCII representation of first object reference

ASCII representation of first object reference

Let’s verify our findings another way. Let’s look at the binary plist decoded into XML to see if our work with the hex is correct. Here we see that the first object is indeed a dictionary and that the first object of the dictionary is a key called “WebBookmarkType”. So far so good!

<?xml version="1.0" encoding="utf-16"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
  <dict>  -> Our first object at the 0th position of the offset table.
    <key>WebBookmarkType</key>  -> The first object of the dictionary collection. This was found at the first 
                                   position of the offset table as indicated by the dictionary object 
                                   reference.

Moving on, the dictionary object reference points to the second index of the offset table.  The value here is \x00\x23. This converts to decimal 35. We find another string – \x5f – at this offset. Reading the next two bytes – \x10 for the integer byte and \x0F for the length (again 15) – we can sweep for our string value, which is in this instance “WebBookmarkUUID”

Second object reference

Second object reference

ASCII Representation of second object reference

ASCII Representation of second object reference

Let’s again check our converted bplist to see if we got it right.

<?xml version="1.0" encoding="utf-16"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
  <dict>
    <key>WebBookmarkType</key>  
    <string>WebBookmarkTypeList</string>
    <key>WebBookmarkUUID</key>

 

Hey wait a second, <string>WebBookmarkTypeList</string> follows “WebBookmarkType”!

No, you haven’t parsed the hex incorrectly. The “value” of the key-value pairs follows in the hex after all the keys have been identified in the order that the keys are identified in the dict object pairs. Don’t believe me? Ok you Philistines, check out the fifth index of the offset table – remember that its zero based so count to five starting at zero. Did you find \x00\x57 (decimal 87)? Good. Now jump back to the bplist and find offset 87 – you should see a \x5f (by now you should guess that its a string). Its followed by integer byte \x10 and then the length by \x13 which converts to decimal 19 for the length of the string in bytes. Now sweep 19 bytes. Did you find “WebBookmarkTypeList”?

Offset to fifth object reference

Offset to fifth object reference

ASCII representation of fifth object reference

ASCII representation of fifth object reference

Recalling the XML conversion of the bplist is “WebBookmarkTypeList” the string value of the key “WebBookmarkType”? You betcha it is!

<?xml version="1.0" encoding="utf-16"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
  <dict>
    <key>WebBookmarkType</key>  
    <string>WebBookmarkTypeList</string>
    <key>WebBookmarkUUID</key>

 

This pattern repeats itself for each of the keys value pairs in the dictionary until it reaches the fourth key. Remember a key can contain as the data type of the element following another collection. This is indeed what we find as the fourth object of the topmost dictionary.

Our examination of the fourth object of the topmost dictionary will start us off on the next installment of our series. Until then, I wish you all the best in your forensic endeavors and a very good SinterKlaas!

References

Apple Inc. (2012) Mac OS X Reference Library, Manual Page for PLIST(5), [Online], Available:https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man5/plist.5.html [October 23 2012]

Caithness, Alex (2010). Property Lists in Digital Forensics, Available:  http://www.cclgroupltd.com/images/property%20lists%20in%20digital%20forensics%20new.pdf, CCL Solutions Group Ltd: Stratford upon-Avon, UK

Eckstein, Robert & Casabianca, Michel(2001). XML Pocket Reference (2nd edition). Sebastopol, CA:O’Reilly and Associates Inc.

Erack Network(2012). Xpath – predicates[Online}, Available:  http://www.tizag.com/xmlTutorial/xpathpredicate.php, [November 1, 2012]

Wikimedia Foundation(2012) Wikipedia: XML[Online], Available: http://en.wikipedia.org/wiki/XML, [October 30, 2012]

World Wide Web Consortium(2012) Extensible Markup Language Tutorial (XML)[Online], Available: http://www.w3schools.com/xml/ [October 24, 2012]

World Wide Web Consortium (2012) Extensible Markup Language (XML) [Online], Available: http://www.w3.org/XML/ [ October 24,  2012]

World Wide Web Consortium(2012) XPATH Tutorial, [Online], Available: http://www.w3schools.com/xpath/default.asp/ [October 28, 2012]

Plists, XML and XPATH – A Series Pt. 3

Having now done a cursory overview of XML, I’d like to turn my attention to property lists or plists as they are commonly known.  Plists according to wikipedia (http://en.wikipedia.org/wiki/Property_list) are files that are used to store serialized object – read data. Very often they are used to store application and user settings. They are a rich source of forensic data that is, at least in my opinion – little understood and under-exploited.

I will be concentrating on binary plists as this is the most common format encountered in iOS and will be using as a launch point the excellent paper ” Property Lists in Digital Forensics “by CCL Forensics’ Alex Caithness (you can find a link to the paper at the end of this post). My aim in the next few posts is to illuminate Caithness’ work and break it open in the hopes that it will be understandable to a wider audience.

I have to confess the motivation behind this was slightly selfish. I myself had some trouble following the work and once I had “cracked the code” so to speak, thought it might be useful for others to benefit from a more in-depth discussion of Alex’s work.

So without further fanfare – here is part three , that which concerns binary plists.

Binary Plists

 

Caithness points out in “Property Lists in Digital Forensics” that the binary plist is constructed of four distinct parts (Caithness, p 4). Further more he describes them in the order that he presents as the way to read the file for interpretation. I summarize his findings below.

The file starts out with a recognizable header. This header comprises the first eight bytes of the file and is the ASCII String “bplist00” (\x62\x70\x6C\x69\x73\x74\x30\x30) – which is the file format and the version.

The trailer of the file consists of the final 32 bytes. It contains data that is needed to read the file properly. The trailer will be discussed in detail later as we traverse a binary plist and read it.

The offset table – which will also be discussed later – is a table that contains the offsets – or locations within the file, which point to objects in the object table – meaning the data of the file.

The final part of the file as was mentioned above is the object table. This is the “meat” of the file, which contains the binary encoded data of each object or element in the plist. Like the trailer and offset table we will deal with the unique features of objects in a following section.

We will be using the bookmarks.plist file that is located here .

Finding the trailer on an existing plist is relatively straightforward. Since we know that the trailer is 32 bytes in length (Caithness p.4)- we can sweep the bytes from the end of the file until we reach a count of 32.

 Location of Binary Plist Trailer

Location of Binary Plist Trailer

Now that I have located the trailer I like to copy and paste the selection into a new hex file so I can refer to its offsets in a separate window and do not have to keep moving back and forth in the file as is seen in the next image.

Binary Plist Trailer in separate file

Binary Plist Trailer in separate file

We are now set to parse the trailer to locate its key elements and find the location of the offset table of the plist which will enable us to parse the the objects contained in the rest of the file.

The below table is a key to parsing out the file – this has been adapted from Alex Caithness’ table found on page 4 of “Property Lists in Digital Forensics”.

 Interpreted Data   Offset in Table   Length of Data   Data Type
Size of integers for offset table(bytes)            6             1 8 bit unsigned integer
Size of collection object reference integers(bytes)            7             1 8 bit unsigned integer
Number of Objects in file            8             8 64-bit unsigned integer (big endian)
Beginning object index            16             8 64-bit unsigned integer (big endian)
Offset location of object offset table            24             8 64-bit unsigned     integer (big endian)

Binary plist trailer data

Now we will begin figuring out the parts of the trailer to read the rest of the file. I recommend recording the values on a sheet or in a file for easy reference.

  • Read the offset to the offset table. Out table above tells us the location of the object offset table occurs at the 24th offset in our trailer and runs for a length of eight bytes. Using our trailer that we copied out of the binary plist file (again this is supplied – link -) we can see that from offset 24 and running eight bytes we get the value of \x02\x89. This is decimal 649.
Offset to Offset Table

Offset to Offset Table

  • Calculate the length of the offset table.  The length of the table is obtained by taking the “Size of integers” value located at offset six of the trailer and the number of the objects in the file located at offset eight in the file and running for eight bytes and multiplying the decimal values of these bytes to arrive at the length of the table.
Length of the Offset Table

Length of the Offset Table

  • Find the offset table and block it off. Going to offset 649 – or \x0289 – sweep from that offset for 58 bytes. Then copy those values into a separate hex file for reading.
Location of Offset Table

Location of Offset Table

Offset table

Offset table

Our next step entails reading the offset table to find the location of our objects or data. We know that the offset table is a zero based index of the objects in the file, ie. The first object is the 0th entry on the offset table, and the size of the offsets (encoded big endian) from the value at offset six of the trailer(\x02). Now we can look at the offset table and find the location of the first object in the object table. This will occur immediately after the file header(“bplist00”).

We see from the below that this is indeed the case as the offset table indicates the first object occurs at \x00\x08.

Size of integers, location of first object and first object data type

Size of integers, location of first object and first object data type

The offset table will be read again and again as we go through the objects of the file. Now we must turn our attention to interpreting the objects that are found at each offset that is specified in the offset table.

We have just found our first object at offset 8 in the bplist. The first byte of the object is known as a type-descriptor byte (Caithness p 5) and will hold the clue on how to read and interpret the object.

Reading and interpreting this first object will start us off on the next installment of our Plist, XML and XPATH Series. Until then, I hope that this series is proving informative in your forensic endeavors. I look forward to seeing you next week.

References

Apple Inc. (2012) Mac OS X Reference Library, Manual Page for PLIST(5), [Online], Available:https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man5/plist.5.html [October 23 2012]

Caithness, Alex (2010). Property Lists in Digital Forensics, Available:  http://www.cclgroupltd.com/images/property%20lists%20in%20digital%20forensics%20new.pdf, CCL Solutions Group Ltd: Stratford upon-Avon, UK

Eckstein, Robert & Casabianca, Michel(2001). XML Pocket Reference (2nd edition). Sebastopol, CA:O’Reilly and Associates Inc.

Erack Network(2012). Xpath – predicates[Online}, Available:  http://www.tizag.com/xmlTutorial/xpathpredicate.php, [November 1, 2012]

Wikimedia Foundation(2012) Wikipedia: XML[Online], Available: http://en.wikipedia.org/wiki/XML, [October 30, 2012]

World Wide Web Consortium(2012) Extensible Markup Language Tutorial (XML)[Online], Available: http://www.w3schools.com/xml/ [October 24, 2012]

World Wide Web Consortium (2012) Extensible Markup Language (XML) [Online], Available: http://www.w3.org/XML/ [ October 24,  2012]

World Wide Web Consortium(2012) XPATH Tutorial, [Online], Available: http://www.w3schools.com/xpath/default.asp/ [October 28, 2012]

Plists, XML and XPATH – A Series Pt. 2

Here is the second installment of the series that came out of my research into Plists. I should have placed a references section at the end of the first post – I apologize for not including that. It will appear at the end of this post and all subsequent ones as well. Without further ado, here is part two in which we continue our brief overview of XML.

Special XML Markups and Syntax Rules

When discussing XML basics we should also cover some special markup constructs that you may encounter.

<?xml…?> – As we have seen in the previous section, this is the XML declaration and can take attributes such as encoding or version

<!-…-> – This construct is for used for comments and anything occurring inside this construct is ignored.

– We have seen this before in DTD. This allows for the specification of the DTD. It takes two forms in general –  SYSTEM, which specifies the URI of a DTD for private use as in http://www.mygreatsite.com/dtd/mydoc.dtd”>, or PUBLIC. PUBLIC is used when the DTD has been publicized for widespread usage. We have seen a use of thePUBLIC specification in the Apple DTD above.

Finally we will conclude looking at XML with the rules for well formed XML

  • All element attributes must have quotation marks
  • All elements must have a closing tag
  • XML tags are case sensitive
  • XML elements must be properly nested
               Example incorrect - <b><i>This text is bold and italic</b></i>
               Example correct - <b><i>This text is bold and italic</i></b>
  • XML Documents must have a root element (we will cover this in the next section)
  • White space is preserved in XML
  • XML stores a new line as a line feed

Tree Structure

XML documents must have a root element. The root element is considered the “parent” of all other elements. The elements form a tree that starts at the root element and branches out to the lowest level of the tree.

All the elements in the XML documents can have sub-elements

<root>
    <child>
       <subchild>.....</subchild>
    </child>
</root>

Let’s look at an example

Example XML Tree

Figure One: Example XML Tree

In the previous example, our root element is <bookstore>. Any <book> elements reside inside of the <bookstore> element. Looking at our <book> element we see that it has four children – <title>, <author>, <year> and <price>.

Notice in the screen capture that the root element (<bookstore> is called the “parent” as we stated before, the next element <book> is called the child and the children elements of <book> are called “siblings”. These concepts are important, as they will be discussed in our short introduction to XPATH – a language that can be used to find information in an XML document.

I hope this installment was useful to you in your forensic endeavors and research. Check back next week for the third installment.

References

Apple Inc. (2012) Mac OS X Reference Library, Manual Page for PLIST(5), [Online], Available:https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man5/plist.5.html [October 23 2012]

Caithness, Alex (2010). Property Lists in Digital Forensics, Available:  http://www.cclgroupltd.com/images/property%20lists%20in%20digital%20forensics%20new.pdf, CCL Solutions Group Ltd: Stratford upon-Avon, UK

Eckstein, Robert & Casabianca, Michel(2001). XML Pocket Reference (2nd edition). Sebastopol, CA:O’Reilly and Associates Inc.

Erack Network(2012). Xpath – predicates[Online}, Available:  http://www.tizag.com/xmlTutorial/xpathpredicate.php, [November 1, 2012]

Wikimedia Foundation(2012) Wikipedia: XML[Online], Available: http://en.wikipedia.org/wiki/XML, [October 30, 2012]

World Wide Web Consortium(2012) Extensible Markup Language Tutorial (XML)[Online], Available: http://www.w3schools.com/xml/ [October 24, 2012]

World Wide Web Consortium (2012) Extensible Markup Language (XML) [Online], Available: http://www.w3.org/XML/ [ October 24,  2012]

World Wide Web Consortium(2012) XPATH Tutorial, [Online], Available: http://www.w3schools.com/xpath/default.asp/ [October 28, 2012]