Understanding .plist Files (Property List Files)
.plist files in macOS are like the registry in Windows. They store important configuration settings for apps and the system. These files come in two flavors:
XML FormatThis is the older, more human-readable format. If you open an XML .plist, you’ll see it starts with <?xml version=. You can easily view these files in a text editor like TextEdit or even a web browser.
Binary FormatNewer .plist files are stored in a binary format to save space and support more complex data (like Binary Large Objects (BLOBs)). They start with bplist00 and can be trickier to read directly, but they’re much more efficient for the system
----------------------------------------------------------------------------------------
How to Analyze .plist Files
If you ever need to dig into .plist files—maybe for troubleshooting or deeper investigation—here’s how you can go about it:
On macOS:
Xcode: Apple’s development environment, Xcode, can open .plist files with a friendly graphical interface, but it needs to be installed from the App Store.
plutil: For command-line fans, the plutil tool can convert binary .plist files into more readable formats like XML or JSON.
Note: Starting with macOS Catalina (10.15), some data, particularly BLOB content, may be truncated when viewed in Xcode or plutil. This issue was fixed in macOS Big Sur (11.0) for Xcode but remains for plutil.
On Windows:
iBackupBot or Notepad++ (with the bplist plugin) can open and edit binary .plist files.
Many forensic tools also support .plist analysis if you're doing advanced work.
On Linux:
Install the libplist-utils package to work with .plist files. The command plistutil can convert binary files to XML for easier reading.
sudo apt update
sudo apt install libplist-utils
----------------------------------------------------------------------------------------------
macOS Directory Breakdown
macOS has a file system layout similar to Linux, but with some Apple-specific directories and uses:
/bin: Contains command utilities, just like Linux.
/sbin: Holds system binaries for managing the OS.
/dev: Device files live here, as in most Unix-like systems.
/opt: For optional software.
/private/var: Stores variable data like logs and system audits.
/private/etc: System configuration files, such as hosts and passwd.
/private/tmp: Temporary files directory (deleted automatically over time).
----------------------------------------------------------------------------------------------
macOS File System Extensions
macOS has its own set of file extensions, each serving a unique purpose. Here’s a quick overview:
.dmg: Disk image files used for distributing software. You mount them as if they were actual disks.
.kext: Kernel extensions (essentially drivers). With macOS Big Sur (11.0), third-party kernel extensions require user interaction and a reboot.
.plist: As discussed earlier, these are configuration files in XML or binary formats.
.app: These are macOS applications. While they look like single files, they’re actually bundles containing all the files and resources that make up the app.
.dylib: Dynamic libraries, similar to DLL files in Windows. They contain shared code used by applications.
.pkg: Installer package files. These packages moved to the XAR format with macOS 10.5 Leopard.
.xar: The eXtensible ARchive format is used for software installers and browser extensions.
----------------------------------------------------------------------------------------------
macOS Timestamps: How Time is Recorded
macOS, like many Unix-based systems, records time using the Unix Epoch—the number of seconds that have passed since midnight, January 1, 1970. This timestamp system is 64-bit and can be accurate down to the nanosecond. However, most tools only display time down to the second.
You’ll see timestamps like:
Example 1: 1633112007 (10 digits, second accuracy)
Example 2: 1633112007178798056 (19 digits, nanosecond accuracy)
On some older systems, you might also encounter the Mac Epoch timestamp, which records time from midnight, January 1, 2001. It uses a 32-bit system, so the timestamps are shorter (9 digits).
Here’s a quick way to tell which format you’re dealing with:
9 digits = Mac Epoch
10 or 19 digits = Unix Epoch
----------------------------------------------------------------------------------------------
Handy Commands for macOS Timestamps
If you want to view file timestamps on macOS, you can use these commands:
stat: Retrieves access, modification, and change times.
stat -x <filename> # Shows Access, Modify, and Change timestamps in seconds
For nanosecond accuracy, use:
stat -f %Fa <filename> # Access time
stat -f %Fm <filename> # Modification time
stat -f %Fc <filename> # Change time
GetFileInfo: This command gives you additional details about the file, including creation and modification times.
GetFileInfo <filename>
---------------------------------------------------------------------------------------------
Disk Acquisition from an APFS Filesystem
Acquiring disk data from macOS devices using the APFS (Apple File System) presents unique challenges, especially for investigators or responders dealing with encrypted systems. Let’s break down the process:
1. Physical Disk Extraction
Unlike traditional PCs, Apple’s devices often don’t allow easy removal of disks. In most cases, the storage is built right into the system. Even if you can physically remove the disk, things get complicated if it’s encrypted—once removed, the data may become unrecoverable.
2. Disk Encryption
Apple devices frequently use disk encryption by default, adding another layer of complexity. While certain organizations claim they can recover data from encrypted disks, it’s not feasible for most responders. The best strategy? Make sure institutional access keys are set up in your organization. These allow you to decrypt and access data when needed.
3. System Integrity Protection (SIP)
Introduced with macOS El Capitan (OS X 10.11), SIP is a security feature that prevents even administrators from modifying key system files. While it helps protect the system, it can interfere with forensic tools that need access to the disk. SIP can be disabled temporarily by rebooting into Recovery Mode, but be warned—this could alter data on the device and affect the investigation.
---------------------------------------------------------------------------------------------
Tips for Disk Acquisition
Live collection is usually your best bet. Capturing data from a running system avoids many of the challenges mentioned above. Here are a few strategies:
Endpoint monitoring tools like EDR (Endpoint Detection and Response) are essential for tracking suspicious activity or capturing data. Examples include Velociraptor or remote access agents like F-Response.
Forensic tools: If you have access to commercial forensic software, you’re in good hands. Some commonly used options include:
Cellebrite Digital Collector
FTK Imager
OpenText EnCase
Magnet Acquire
Direct Access Methods:If you have direct access to the system but not commercial tools, you can still use open-source solutions.
dd or dcfldd/dc3dd: These tools can create a disk image that can be sent to external storage or even a remote address using netcat.
Sumuri PALADIN: A live forensic USB tool for capturing disk images.
---------------------------------------------------------------------------------------------
Mounting APFS Images
Once you’ve captured a disk image, the next step is mounting it for analysis. There are different ways to do this, depending on your platform and available tools.
Easiest Option: Commercial Forensic Suites
If you’re using commercial tools, they make it easy to mount and read the image on a macOS system.
If Commercial Tools Aren’t Available:
Mounting the image on macOS is straightforward, but it requires a few key options:
rdonly: Mounts the image as read-only, ensuring no accidental changes.
noexec: Prevents any code from executing on the mounted image.
noowners: Ignores ownership settings, minimizing access issues.
Commands to Mount in macOS:
sudo su
mkdir /Volumes/apfs_images
mkdir /Volumes/apfs_mounts
xmount -- in ewf evidencecapture.E01 -- out dmg /Volumes/apfs_images
hdiutil attach -nomount /Volumes/apfs_images/evidencecapture.dmg
diskutil ap list
diskutil ap unlockvolume <Disk GUID> -nomount
mount_apfs -o rdonly,noexec,noowners /dev/disk# /Volumes/apfs_mounts/
Mounting in Linux
Mounting an APFS image on Linux is possible but requires FUSE (Filesystem in Userspace) drivers. Here’s a simplified guide:
Install APFS FUSE Drivers: First, you’ll need to install the necessary dependencies and clone the APFS FUSE repository from GitHub.
sudo apt update
sudo apt install libicu-dev bzip2 cmake libz-dev libbz2-dev fuse3 clang git libattr1-dev libplist-utils -y
cd /opt
git clone https://github.com/sgan81/apfs-fuse.git
cd apfs-fuse
git submodule init
git submodule update
mkdir build
cd build
cmake ..
make
ln /opt/afps-fuse/build/apfs-dump /usr/bin/apfs-dump
ln /opt/afps-fuse/build/apfs-dump-quick /usr/bin/apfs-dump-quick
ln /opt/afps-fuse/build/apfs-fuse /usr/bin/apfs-fuse
ln /opt/afps-fuse/build/apfsutil /usr/bin/apfsutil
NOTE: the ln commands are to make it easier to run the commands without needing to add the /opt/apfsfuse/ build folder to the path. This may vary depending on your environment.
Mount the Image: After setting up FUSE, you can mount the image using this command:
mkdir /mnt/apfs_mount #create mount point
cd /mnt/ewf_mount #change to the directory where the E01 file is located.
apfs-fuse -o ro,allow_other ewf1 /mnt/apfs_mount # mount the image read only
If you want a script to automate this for Debian-based distros (like Ubuntu), check out the one available at this link.
Final Thoughts
In forensic investigations, especially on macOS systems, APFS disk acquisition can be tricky. Between encrypted disks, System Integrity Protection (SIP), and Apple's tight security measures, your best option is often live data capture. Whether you're using commercial tools or open-source alternatives, having the right approach and tools is critical.
Akash Patel
Comments