Here is the second installment of the series that came out of my research into Plists. I should have placed a references section at the end of the first post – I apologize for not including that. It will appear at the end of this post and all subsequent ones as well. Without further ado, here is part two in which we continue our brief overview of XML.
When discussing XML basics we should also cover some special markup constructs that you may encounter.
<?xml…?> – As we have seen in the previous section, this is the XML declaration and can take attributes such as encoding or version
<!-…-> – This construct is for used for comments and anything occurring inside this construct is ignored.
– We have seen this before in DTD. This allows for the specification of the DTD. It takes two forms in general – SYSTEM, which specifies the URI of a DTD for private use as in http://www.mygreatsite.com/dtd/mydoc.dtd”>, or PUBLIC. PUBLIC is used when the DTD has been publicized for widespread usage. We have seen a use of thePUBLIC specification in the Apple DTD above.
Finally we will conclude looking at XML with the rules for well formed XML
- All element attributes must have quotation marks
- All elements must have a closing tag
- XML tags are case sensitive
- XML elements must be properly nested
Example incorrect - <b><i>This text is bold and italic</b></i> Example correct - <b><i>This text is bold and italic</i></b>
- XML Documents must have a root element (we will cover this in the next section)
- White space is preserved in XML
- XML stores a new line as a line feed
XML documents must have a root element. The root element is considered the “parent” of all other elements. The elements form a tree that starts at the root element and branches out to the lowest level of the tree.
All the elements in the XML documents can have sub-elements
<root> <child> <subchild>.....</subchild> </child> </root>
Let’s look at an example
In the previous example, our root element is <bookstore>. Any <book> elements reside inside of the <bookstore> element. Looking at our <book> element we see that it has four children – <title>, <author>, <year> and <price>.
Notice in the screen capture that the root element (<bookstore> is called the “parent” as we stated before, the next element <book> is called the child and the children elements of <book> are called “siblings”. These concepts are important, as they will be discussed in our short introduction to XPATH – a language that can be used to find information in an XML document.
I hope this installment was useful to you in your forensic endeavors and research. Check back next week for the third installment.
Apple Inc. (2012) Mac OS X Reference Library, Manual Page for PLIST(5), [Online], Available:https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man5/plist.5.html [October 23 2012]
Caithness, Alex (2010). Property Lists in Digital Forensics, Available: http://www.cclgroupltd.com/images/property%20lists%20in%20digital%20forensics%20new.pdf, CCL Solutions Group Ltd: Stratford upon-Avon, UK
Eckstein, Robert & Casabianca, Michel(2001). XML Pocket Reference (2nd edition). Sebastopol, CA:O’Reilly and Associates Inc.
Erack Network(2012). Xpath – predicates[Online}, Available: http://www.tizag.com/xmlTutorial/xpathpredicate.php, [November 1, 2012]