Let me preface this with saying, I.A.N.A.P.P. – I Am Not A Professional Programmer. I enjoy programming, and I hope others find this tool useful. If you find a bug, please let me know. If you have some suggestions or feature requests, please let me know. What may be intuitive to me may be totally off for others. I also wanted to thank Cheeky4n6Monkey for designing an icon for me as I have zero graphic skills, and Scott Zuberbuehler for doing some testing and making some suggestions for improvements.
What does it do?
The concept behind iParser is to provide an automatic way to gather various plist files from a MAC image into one place, rather than look for them every time an exam is conducted. You simply mount the image, point to the root directory, choose a user and let it run. It will gather system information, application preferences, network information and user information. It converts binary plist files into XML using the iTunes plutil, then parses the XML and generates a text report. Although you can use notepad to view the report, I find that Notepad++ works better. If you are unfamiliar with plist files, please read here
Using RegRipper by Harlan Carvey as my inspiration, I decided to use plug-ins to define the plist files so that users can add in plist files as they see fit. I used the OS X 10.7 artifact list by Sean Cavanaugh from http://www.appleexaminer.com/as a starting point for the plist files that will be parsed.
What does it not do?
It does not convert the data within the plist file. For example, in the Safari History plist file, it will not convert the timestamp. It does not decode base64 data. It basically strips out the XML tags and builds a report.
Looking ahead
Yes, this is a Windows based program (sorry). My hopes are to dig my heels in, learn some Pearl, and make it cross-platform compatible. I have a new found respect for the work and ingenuity of RegRipper and realize how spoiled I have been by such a great tool...
Requirements
- Windows
- Mounted Mac Image or access to Mac partition from Boot Camp
- iTunes
- .Net Framework (quick install if you don't already have it)
Plugins
The Plug-in files are in XML format. You can easily add a plist file that is not already included. I have detailed instructions on the format here, or just open and view some of the existing plug-ins to view the format. If you would like me to add any plug-ins to future releases, please email me: arizona4n6 at gmail.com - or email me if you can't figure out the plug-ins and would like me to add a plist. Download and Documentation
Download iParser here
View the Documentation here
Comments
Post a Comment