def decrypt_Metadata(item, df_meta):
if item['keyclass'] >=6 :
bplist = BytesIO(item['encryptedMetadata_wrappedKey'])
plist = ccl_bplist.load(bplist)
metaDataWrappedKeyDeserialized = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True)
authCode = metaDataWrappedKeyDeserialized['root']['SFAuthenticationCode']
iv = metaDataWrappedKeyDeserialized['root']['SFInitializationVector']
ciphertext = metaDataWrappedKeyDeserialized['root']['SFCiphertext']
unwrapped_metadata_key = unwrap_key(
df_meta[df_meta.keyclass == int(item['keyclass'])].iloc[0].data,
item['keyclass']
)
gcm = AES.new(unhexlify(unwrapped_metadata_key)[:32], AES.MODE_GCM, iv)
metadata_key = gcm.decrypt_and_verify(ciphertext, authCode)
bplist = BytesIO(item['encryptedMetadata_ciphertext'])
plist = ccl_bplist.load(bplist)
metaDataDeserialized = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True)
authCode = metaDataDeserialized['root']['SFAuthenticationCode']
iv = metaDataDeserialized['root']['SFInitializationVector']
ciphertext = metaDataDeserialized['root']['SFCiphertext']
gcm = AES.new(metadata_key[:32], AES.MODE_GCM, iv)
decrypted = gcm.decrypt_and_verify(ciphertext, authCode)
der_data = decode(decrypted)[0]
item['decrypted'] = {}
for k in der_data:
if 'Octet' in str(type(k[1])):
item['decrypted'][str(k[0])] = bytes(k[1])
else:
item['decrypted'][str(k[0])] = str(k[1])
return item
def ParseSFL(MRUFile):
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
plist_objects = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True)
if plist_objects["root"]["NS.objects"][1]["NS.keys"][0] == "com.apple.LSSharedFileList.MaxAmount":
numberOfItems = plist_objects["root"]["NS.objects"][1]["NS.objects"][0]
print "Max number of recent items in this plist: " + str(numberOfItems)
if plist_objects["root"]["NS.keys"][2] == "items":
items = plist_objects["root"]["NS.objects"][2]["NS.objects"]
for n,item in enumerate(items):
print" [Item Number: " + str(n) + " | Order: " + str(item["order"]) + "] Name:'" + item["name"] + "' (URL:'" + item["URL"]['NS.relative'] + "'')"
#UNCOMMENT FOR UNIQUE IDENTIFIER HEXDUMP
#print "----------------------------------------------------------------------------"
#print "Hexdump of Unique Identifier: "
#print hexdump.hexdump(item["uniqueIdentifier"]["NS.uuidbytes"])
#print "----------------------------------------------------------------------------"
if args.blob == True:
print "----------------------------------------------------------------------------"
print "Hexdump of Bookmark BLOB: "
hexdump_blob = hexdump.hexdump(item["bookmark"])
print hexdump_blob
print "----------------------------------------------------------------------------"
def ParseFinderPlist(MRUFile):
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
try:
for n, item in enumerate(plist["FXRecentFolders"]):
print " [Item Number: " + str(
n) + "] '" + item["name"] + "'"
try:
blob = item["file-bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
pass
try:
blob = item["file-data"]["_CFURLAliasData"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
pass
except:
pass
except:
print "Cannot open file: " + MRUFile
def ParseSFL2(MRUFile):
itemsLinkList = []
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
plistfile.close()
plist_objects = ccl_bplist.deserialise_NsKeyedArchiver(
plist, parse_whole_structure=True)
if plist_objects["root"]["NS.keys"][0] == "items":
items = plist_objects["root"]["NS.objects"][0]["NS.objects"]
for n, item in enumerate(items):
attribute_keys = plist_objects["root"]["NS.objects"][0][
"NS.objects"][n]["NS.keys"]
attribute_values = plist_objects["root"]["NS.objects"][0][
"NS.objects"][n]["NS.objects"]
attributes = dict(zip(attribute_keys, attribute_values))
if "Bookmark" in attributes:
if isinstance(attributes["Bookmark"], str):
itemLink = BLOBParser_human(attributes["Bookmark"])
else:
itemLink = BLOBParser_human(
attributes["Bookmark"]['NS.data'])
itemsLinkList.append(itemLink)
return itemsLinkList
except Exception as e:
print e
def read_cachefile(_bib):
"""Read BibDesk cache file into Python dict"""
bib_path = os.path.join(BIB_DIR, _bib)
with open(bib_path, 'rb') as _file:
bib_data = ccl_bplist.load(_file)
_file.close()
return bib_data
def read_cachefile(_bib):
"""Read BibDesk cache file into Python dict"""
bib_path = os.path.join(BIB_DIR, _bib)
with open(bib_path, 'rb') as _file:
bib_data = ccl_bplist.load(_file)
_file.close()
return bib_data
def ParseFinderPlist(MRUFile):
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
print("Parsing FXRecentFolders Key")
print("[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]")
try:
for n, item in enumerate(plist["FXRecentFolders"]):
print(" [Item Number: " + str(n) + "] '" + item["name"] +
"'")
try:
blob = item["file-bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
pass
try:
blob = item["file-data"]["_CFURLAliasData"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
pass
except:
pass
print("\nParsing FXDesktopVolumePositions Key")
print("Item number has no bearing upon time of usage.")
try:
for n, item in enumerate(plist["FXDesktopVolumePositions"]):
item_split = item.split('_0x')
if len(item_split) == 1:
item_split = item.split('_-0x')
item_timestamp = "-0x" + item_split[1]
else:
item_timestamp = "0x" + item_split[1]
if float.fromhex(item_timestamp) > 0:
volume_creation = gmtime(
int(float.fromhex(item_timestamp) + 978307200))
volume_creation_ts = strftime("%m-%d-%Y %H:%M:%S",
volume_creation)
print(" [Item Number: " + str(n) +
"] Volume Created: " + volume_creation_ts +
" Volume Name: '" + item_split[0] +
"'\tOriginal Key: '" + item + "'")
else:
print(" [Item Number: " + str(n) +
"] Volume Created: None\t\t Volume Name: '" +
item_split[0] + "'\tOriginal Key: '" + item + "'")
except:
pass
except:
print("Cannot open file: " + MRUFile)
def get_login_items_entries(btm_file):
with open(btm_file, 'rb') as fp:
plist = ccl_bplist.load(fp)
ns_keyed_archiver_obj = ccl_bplist.deserialise_NsKeyedArchiver(
plist, parse_whole_structure=True)
ccl_bplist.set_object_converter(
ccl_bplist.NSKeyedArchiver_common_objects_convertor)
return ns_keyed_archiver_obj['root']['backgroundItems'][
'allContainers']
def ParseSFL2_FavoriteVolumes(MRUFile):
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
plist_objects = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True)
print "Item number has no bearing upon time of usage."
print "Plist Properties:"
if plist_objects["root"]["NS.keys"][1] == "properties":
properties_keys = plist_objects["root"]["NS.objects"][1]["NS.keys"]
properties_values = plist_objects["root"]["NS.objects"][1]["NS.objects"]
properties = dict(zip(properties_keys,properties_values))
for key in properties:
print " " + key + ": " + str(properties[key])
if plist_objects["root"]["NS.keys"][0] == "items":
items = plist_objects["root"]["NS.objects"][0]["NS.objects"]
for n,item in enumerate(items):
attribute_keys = plist_objects["root"]["NS.objects"][0]["NS.objects"][n]["NS.keys"]
attribute_values = plist_objects["root"]["NS.objects"][0]["NS.objects"][n]["NS.objects"]
attributes = dict(zip(attribute_keys,attribute_values))
try:
uuid = attributes["uuid"]
except:
uuid = "No 'UUID' Attribute"
try:
visability = str(attributes["visibility"])
except:
visability = "No 'Visability' Attribute"
try:
name = attributes["Name"]
except:
name = "No 'Name' Attribute (Use BLOB parser for name)"
print "\n [Item Number: " + str(n) + " | (UUID:'" + uuid + "') | Visibility: " + visability + "] Name: '" + name + "'"
if attributes["CustomItemProperties"]:
CIP_keys = plist_objects["root"]["NS.objects"][0]["NS.objects"][n]["NS.objects"][1]["NS.keys"]
CIP_values = plist_objects["root"]["NS.objects"][0]["NS.objects"][n]["NS.objects"][1]["NS.objects"]
CIP_attributes = dict(zip(CIP_keys,CIP_values))
print "\tCustomItemProperties:"
for key in CIP_attributes:
print "\t " + key + ": " + str(CIP_attributes[key])
if "LSSharedFileList.RecentHosts" not in MRUFile:
blob = attributes["Bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print "Cannot open file: " + MRUFile
def read_cachedir():
"""Read BibDesk cache dir into Python array"""
_data = []
for bib in os.listdir(BIB_DIR):
bib_path = os.path.join(BIB_DIR, bib)
with open(bib_path, 'rb') as _file:
bib_data = ccl_bplist.load(_file)
_file.close()
_data.append(bib_data)
return _data
def read_cachedir():
"""Read BibDesk cache dir into Python array"""
_data = []
for bib in os.listdir(BIB_DIR):
bib_path = os.path.join(BIB_DIR, bib)
with open(bib_path, 'rb') as _file:
bib_data = ccl_bplist.load(_file)
_file.close()
_data.append(bib_data)
return _data
def ParseSFL2(MRUFile):
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
plist_objects = ccl_bplist.deserialise_NsKeyedArchiver(
plist, parse_whole_structure=True)
try:
if plist_objects["root"]["NS.objects"][1]["NS.keys"][
0] == "com.apple.LSSharedFileList.MaxAmount":
numberOfItems = plist_objects["root"]["NS.objects"][1][
"NS.objects"][0]
print("Max number of recent items in this plist: " +
str(numberOfItems))
except:
pass
if plist_objects["root"]["NS.keys"][0] == "items":
items = plist_objects["root"]["NS.objects"][0]["NS.objects"]
for n, item in enumerate(items):
attribute_keys = plist_objects["root"]["NS.objects"][0][
"NS.objects"][n]["NS.keys"]
attribute_values = plist_objects["root"]["NS.objects"][0][
"NS.objects"][n]["NS.objects"]
attributes = dict(list(zip(attribute_keys, attribute_values)))
try:
uuid = attributes["uuid"]
except:
uuid = "No 'UUID' Attribute"
try:
visability = str(attributes["visibility"])
except:
visability = "No 'Visability' Attribute"
try:
name = attributes["Name"]
except:
name = "No 'Name' Attribute (Use BLOB parser for name)"
print(" [Item Number: " + str(n) + " | (UUID:'" + uuid +
"') | Visibility: " + visability + "] Name:'" + name +
"'")
# Unknown "CustomItemProperties" - Only seen blank, uncomment to see details.
# print attributes["CustomItemProperties"]
if "LSSharedFileList.RecentHosts" not in MRUFile:
blob = attributes["Bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print("Cannot open file: " + MRUFile)
def decodeDrummersPlist(data):
pl = ccl_bplist.load(data)
rootID = UIDtoInt(pl['$top']['root'])
root = nodeToDict(pl['$objects'][rootID], pl['$objects'])
baseModel = nodeToDict(root['genInstDrummerBaseModel.state'],
pl['$objects'])
drummers = nodeToDict(baseModel['drummerModelTrackStates'], pl['$objects'])
result = []
for k, v in drummers.items():
drummerInfo = nodeToDict(v, pl['$objects'])
result.append(drummerInfo['selectedCharacterIdentifier'])
return result
def get_size(self):
"""
Reads file_meta plist and returns reported file size
:return:
"""
if self.file_meta[:2] == b'bp':
file_meta_plist = ccl_bplist.load(BytesIO(self.file_meta))
size = file_meta_plist['$objects'][1]['Size']
return size
else:
file_meta_plist = plistlib.loads(self.file_meta)
return file_meta_plist['size']
def ParseFinderPlist(MRUFile):
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n,item in enumerate(plist["FXRecentFolders"]):
print " [Item Number: " + str(n) + "] '" + item["name"] + "'"
if args.blob == True:
print "----------------------------------------------------------------------------"
print "Hexdump of Bookmark BLOB: "
print hexdump.hexdump(item["file-bookmark"])
print "----------------------------------------------------------------------------"
def ParseLSSharedFileListPlist(MRUFile):
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
print "Max number of recent items in this plist:: " + str(plist["RecentDocuments"]["MaxAmount"])
print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n,item in enumerate(plist["RecentDocuments"]["CustomListItems"]):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "'"
blob = item["Bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print "Cannot open file: " + MRUFile
def get_mod_time(self):
"""
Reads file_meta plist and returns modified date
:return:
"""
if self.file_meta[:2] == b'bp':
file_meta_plist = ccl_bplist.load(BytesIO(self.file_meta))
raw_date_time = file_meta_plist['$objects'][1]['LastModified']
converted_time = datetime.datetime.fromtimestamp(raw_date_time)
converted_time = converted_time.timetuple()
return converted_time
else:
file_meta_plist = plistlib.loads(self.file_meta)
return file_meta_plist['modified'].timetuple()
def ParseLSShardFileListPlist(MRUFile):
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
print "Max number of recent items in this plist:: " + str(
plist["RecentDocuments"]["MaxAmount"])
print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n, item in enumerate(plist["RecentDocuments"]["CustomListItems"]):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "'"
blob = item["Bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print "Cannot open file: " + MRUFile
def ParseLSShardFileListPlist(MRUFile):
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
print "Max number of recent items in this plist:: " + str(plist["RecentDocuments"]["MaxAmount"])
print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n,item in enumerate(plist["RecentDocuments"]["CustomListItems"]):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "'"
if args.blob == True:
print "----------------------------------------------------------------------------"
print "Hexdump of Bookmark BLOB: "
print hexdump.hexdump(item["Bookmark"])
print "----------------------------------------------------------------------------"
def main():
parser = argparse.ArgumentParser(
description=
"NeXTSTEP Interface Builder (NIB) file parser prints a list of all connections defined in a NIB file"
)
parser.add_argument('nibfile', help='path to a NIB file')
args = parser.parse_args()
with open(args.nibfile, "rb") as rp:
plist = ccl_bplist.load(rp)
nib = ccl_bplist.deserialise_NsKeyedArchiver(plist)
ibcons = nib['IB.objectdata']['NSConnections']['NS.objects']
for i in range(len(ibcons)):
if 'NSLabel' not in ibcons[i]:
continue
lbl = ibcons[i]['NSLabel']
id = dict(nib['IB.objectdata']['NSConnections'])['NS.objects'][i].value
sname = "NA"
srcid = "NA"
dname = "NA"
dstid = "NA"
if 'NSSource' in ibcons[i]:
srcid = dict(ibcons[i])['NSSource'].value
src = ibcons[i]['NSSource']
sname = getClassName(src)
scontents = getContents(src)
if 'NSDestination' in ibcons[i]:
dstid = dict(ibcons[i])['NSDestination'].value
dst = ibcons[i]['NSDestination']
dname = getClassName(dst)
dcontents = getContents(dst)
out = "%d: %s (%s) - %s " % (i, lbl, id, sname)
if scontents:
out += "[%s] " % scontents
out += "(%s) ---> %s " % (srcid, dname)
if dcontents:
out += "[%s] " % dcontents
out += "(%s)" % dstid
print(out.encode("utf-8"))
def ParseSFL2(MRUFile):
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
plist_objects = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True)
try:
if plist_objects["root"]["NS.objects"][1]["NS.keys"][0] == "com.apple.LSSharedFileList.MaxAmount":
numberOfItems = plist_objects["root"]["NS.objects"][1]["NS.objects"][0]
print "Max number of recent items in this plist: " + str(numberOfItems)
except:
pass
if plist_objects["root"]["NS.keys"][0] == "items":
items = plist_objects["root"]["NS.objects"][0]["NS.objects"]
for n,item in enumerate(items):
attribute_keys = plist_objects["root"]["NS.objects"][0]["NS.objects"][n]["NS.keys"]
attribute_values = plist_objects["root"]["NS.objects"][0]["NS.objects"][n]["NS.objects"]
attributes = dict(zip(attribute_keys,attribute_values))
try:
uuid = attributes["uuid"]
except:
uuid = "No 'UUID' Attribute"
try:
visability = str(attributes["visibility"])
except:
visability = "No 'Visability' Attribute"
try:
name = attributes["Name"]
except:
name = "No 'Name' Attribute (Use BLOB parser for name)"
print " [Item Number: " + str(n) + " | (UUID:'" + uuid + "') | Visibility: " + visability + "] Name:'" + name + "'"
#Unknown "CustomItemProperties" - Only seen blank, uncomment to see details.
#print attributes["CustomItemProperties"]
if "LSSharedFileList.RecentHosts" not in MRUFile:
blob = attributes["Bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print "Cannot open file: " + MRUFile
def process_nsa_plist(input_path, f):
'''Returns a deserialized plist. Input is NSKeyedArchive file. input_path field is not used'''
global use_as_library
try:
if not use_as_library:
print('Reading file .. ' + input_path)
f = extract_nsa_plist(f)
ccl_bplist.set_object_converter(
ccl_bplist.NSKeyedArchiver_common_objects_convertor)
plist = ccl_bplist.load(f)
ns_keyed_archiver_obj = ccl_bplist.deserialise_NsKeyedArchiver(
plist, parse_whole_structure=True)
root_names = getRootElementNames(f)
top_level = []
for root_name in root_names:
root = ns_keyed_archiver_obj[root_name]
if not use_as_library:
print('Trying to deserialize binary plist $top = {}'.format(
root_name))
if isinstance(root, dict):
plist = {}
recurseCreatePlist(plist, root,
ns_keyed_archiver_obj.object_table)
if root_name.lower() != 'root':
plist = {root_name: plist}
elif isinstance(root, list):
plist = []
recurseCreatePlist(plist, root,
ns_keyed_archiver_obj.object_table)
if root_name.lower() != 'root':
plist = {root_name: plist}
else:
plist = {root_name: root}
if len(root_names) == 1:
top_level = plist
else: # > 1
top_level.append(plist)
except Exception as ex:
print('Had an exception (error)')
traceback.print_exc()
return top_level
def ParseFinderPlist(MRUFile):
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
print "Parsing FXRecentFolders Key"
print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
try:
for n,item in enumerate(plist["FXRecentFolders"]):
print " [Item Number: " + str(n) + "] '" + item["name"] + "'"
try:
blob = item["file-bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
pass
try:
blob = item["file-data"]["_CFURLAliasData"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
pass
except:
pass
print "\nParsing FXDesktopVolumePositions Key"
print "Item number has no bearing upon time of usage."
try:
for n,item in enumerate(plist["FXDesktopVolumePositions"]):
item_split = item.split('_0x')
item_timestamp = "0x" + item_split[1]
if float.fromhex(item_timestamp) > 0:
volume_creation = gmtime(int(float.fromhex(item_timestamp) + 978307200))
volume_creation_ts = strftime("%m-%d-%Y %H:%M:%S", volume_creation)
print " [Item Number: " + str(n) + "] Volume Created: " + volume_creation_ts+ " Volume Name: '" + item_split[0] + "'\tOriginal Key: '" + item + "'"
else:
print " [Item Number: " + str(n) + "] Volume Created: None\t\t Volume Name: '" + item_split[0] + "'\tOriginal Key: '" + item + "'"
except:
pass
except:
print "Cannot open file: " + MRUFile
def ParseFinderPlist(MRUFile):
itemsLinkList = []
try:
with open(MRUFile, "rb") as plistfile:
plist = ccl_bplist.load(plistfile)
for item in plist["FXRecentFolders"]:
if "file-bookmark" in item:
blob = item["file-bookmark"]
elif "file-data" in item:
blob = item["file-data"]["_CFURLAliasData"]
itemLink = BLOBParser_human(blob)
# exclude / path
if itemLink == "/":
continue
itemsLinkList.append(itemLink)
return itemsLinkList
except Exception as e:
print(e)
def DeserializeNSKeyedArchive(file_pointer):
'''Pass an open file pointer (file must be opened as rb) and get a dict or list representation
of the plist returned back
'''
ccl_bplist.set_object_converter(
ccl_bplist.NSKeyedArchiver_common_objects_convertor)
plist = ccl_bplist.load(file_pointer)
ns_keyed_archiver_obj = ccl_bplist.deserialise_NsKeyedArchiver(
plist, parse_whole_structure=True)
root = ns_keyed_archiver_obj['root']
if isinstance(root, dict):
plist = {}
else:
plist = []
recurseCreatePlist(plist, root)
return plist
def ParseSFL(MRUFile):
itemsLinkList = []
try:
with open(MRUFile, "rb") as plistfile:
plist = ccl_bplist.load(plistfile)
plist_objects = ccl_bplist.deserialise_NsKeyedArchiver(
plist, parse_whole_structure=True)
if plist_objects["root"]["NS.keys"][2] == "items":
items = plist_objects["root"]["NS.objects"][2]["NS.objects"]
for n, item in enumerate(items):
# item["URL"]['NS.relative'] file:///xxx/xxx/xxx
filePath = item["URL"]['NS.relative'][7:]
# /xxx/xxx/xxx/ the last "/" make basename func not work
if filePath[-1] == '/':
filePath = filePath[:-1]
itemsLinkList.append(filePath)
return itemsLinkList
except Exception as e:
print(e)
def GetProfileInfo(f):
profiles = []
ccl_bplist.set_object_converter(ccl_bplist.NSKeyedArchiver_common_objects_convertor)
plist = ccl_bplist.load(f)
ns_keyed_archiver_obj = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True)
md = ns_keyed_archiver_obj['mapData']
for item in md:
if md[item]['NSEntityName'] == 'MCX_Profile':
profile_attribs = md[item]['NSAttributeValues']
attributes = []
attributes.append(profile_attribs[0]) # UUID if domain user, else name
attributes.append(profile_attribs[1]) # user name
attributes.append(profile_attribs[2]) # date first logged in (if domain user), else name
# Not interpreting other attributes at this time!
profiles.append(attributes)
return profiles
def ParseSFL(MRUFile):
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
plist_objects = ccl_bplist.deserialise_NsKeyedArchiver(
plist, parse_whole_structure=True)
try:
if plist_objects["root"]["NS.objects"][1]["NS.keys"][
0] == "com.apple.LSSharedFileList.MaxAmount":
numberOfItems = plist_objects["root"]["NS.objects"][1][
"NS.objects"][0]
print "Max number of recent items in this plist: " + str(
numberOfItems)
except:
pass
if plist_objects["root"]["NS.keys"][2] == "items":
items = plist_objects["root"]["NS.objects"][2]["NS.objects"]
for n, item in enumerate(items):
try:
name = item["name"]
except:
name = "No 'name' Key"
print " [Item Number: " + str(n) + " | Order: " + str(
item["order"]) + "] Name:'" + name + "' (URL:'" + item[
"URL"]['NS.relative'] + "')"
#UNCOMMENT FOR UNIQUE IDENTIFIER HEXDUMP
#print "----------------------------------------------------------------------------"
#print "Hexdump of Unique Identifier: "
#print hexdump.hexdump(item["uniqueIdentifier"]["NS.uuidbytes"])
#print "----------------------------------------------------------------------------"
if "LSSharedFileList.RecentHosts" not in MRUFile:
blob = item["bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print "Cannot open file: " + MRUFile
def decrypt_secretData(item):
if item['keyclass'] >=6 :
unwrapped_key = unwrap_key(item['encryptedSecretData_wrappedKey'], item['keyclass'])
bplist = BytesIO(item['encryptedSecretData_ciphertext'])
plist = ccl_bplist.load(bplist)
secretDataDeserialized = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True)
authCode = secretDataDeserialized['root']['SFAuthenticationCode']
iv = secretDataDeserialized['root']['SFInitializationVector']
ciphertext = secretDataDeserialized['root']['SFCiphertext']
gcm = AES.new(unhexlify(unwrapped_key)[:32], AES.MODE_GCM, iv)
decrypted = gcm.decrypt_and_verify(ciphertext, authCode)
der_data = decode(decrypted)[0]
for k in der_data:
if 'Octet' in str(type(k[1])):
item['decrypted'].update({str(k[0]) : bytes(k[1])})
else:
item['decrypted'].update({str(k[0]) : str(k[1])})
return item
def ParseSFL2(MRUFile):
itemsLinkList = []
try:
with open(MRUFile, "rb") as plistfile:
plist = ccl_bplist.load(plistfile)
plist_objects = ccl_bplist.deserialise_NsKeyedArchiver(
plist, parse_whole_structure=True)
if plist_objects["root"]["NS.keys"][0] == "items":
for item in plist_objects["root"]["NS.objects"][0]["NS.objects"]:
attributes = dict(zip(item["NS.keys"], item["NS.objects"]))
if "Bookmark" in attributes:
if isinstance(attributes["Bookmark"], str):
itemLink = BLOBParser_human(attributes["Bookmark"])
else:
itemLink = BLOBParser_human(
attributes["Bookmark"]['NS.data'])
itemsLinkList.append(itemLink)
return itemsLinkList
except Exception as e:
print e
def main():
global usage
if sys.version_info.major == 2:
print(
'ERROR-This will not work with python2. Please run again with python3!'
)
return
argc = len(sys.argv)
if argc < 2 or sys.argv[1].lower() == '-h':
print(usage)
return
input_path = sys.argv[1]
if not os.path.exists(input_path):
print('Error, file does not exist! Check file path!\r\n')
print(usage)
return
# All OK, process the file now
try:
f = open(input_path, 'rb')
print('Reading file .. ' + input_path)
ccl_bplist.set_object_converter(
ccl_bplist.NSKeyedArchiver_common_objects_convertor)
plist = ccl_bplist.load(f)
ns_keyed_archiver_obj = ccl_bplist.deserialise_NsKeyedArchiver(
plist, parse_whole_structure=True)
root = ns_keyed_archiver_obj['root']
print('Trying to deserialize binary plist ..')
plist = {}
recurseCreatePlist(plist, root)
print('Writing it back out as .. ' + input_path +
'_deserialized.plist')
biplist.writePlist(plist, input_path + '_deserialized.plist')
print('Done !')
except Exception as ex:
print('Had an exception (error)')
traceback.print_exc()
def ParseRecentItemsPlist(MRUFile):
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
print "Recent Applications (Max number of recent items in this key: " + str(plist["RecentApplications"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n,item in enumerate(plist["RecentApplications"]["CustomListItems"]):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "'"
if args.blob == True:
print "----------------------------------------------------------------------------"
print "Hexdump of Bookmark BLOB: "
print hexdump.hexdump(item["Bookmark"])
print "----------------------------------------------------------------------------"
print "Recent Documents (Max number of recent items in this key: " + str(plist["RecentDocuments"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n,item in enumerate(plist["RecentDocuments"]["CustomListItems"]):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "'"
if args.blob == True:
print "----------------------------------------------------------------------------"
print "Hexdump of Bookmark BLOB: "
print hexdump.hexdump(item["Bookmark"])
print "----------------------------------------------------------------------------"
print "Recent Servers (Max number of recent items in this key: " + str(plist["RecentServers"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n,item in enumerate(plist["RecentServers"]["CustomListItems"]):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "'"
if args.blob == True:
print "----------------------------------------------------------------------------"
print "Hexdump of Bookmark BLOB: "
print hexdump.hexdump(item["Bookmark"])
print "----------------------------------------------------------------------------"
print "Recent Hosts (Max number of recent items in this key: " + str(plist["Hosts"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n,item in enumerate(plist["Hosts"]["CustomListItems"]):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" + " - URL: " + item["URL"] + "'"
def ParseFinderPlist(MRUFile):
itemsLinkList = []
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
plistfile.close()
# print "Parsing FXRecentFolders Key"
# print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n, item in enumerate(plist["FXRecentFolders"]):
# print " [Item Number: " + str(n) + "] '" + item["name"] + "'"
# print item.keys()
if "file-bookmark" in item:
blob = item["file-bookmark"]
elif "file-data" in item:
blob = item["file-data"]["_CFURLAliasData"]
itemLink = BLOBParser_human(blob)
# exclude / path
if itemLink == "/":
continue
itemsLinkList.append(itemLink)
return itemsLinkList
except Exception as e:
print e
def _unpack_top_level(f, plist_biplist_obj):
'''Does the work to actually unpack the NSKeyedArchive's top level. Returns
the top level object.
'''
ccl_bplist.set_object_converter(
ccl_bplist.NSKeyedArchiver_common_objects_convertor)
plist = ccl_bplist.load(f)
ns_keyed_archiver_obj = ccl_bplist.deserialise_NsKeyedArchiver(
plist, parse_whole_structure=True)
root_names = _get_root_element_names(plist_biplist_obj)
top_level = []
for root_name in root_names:
root = ns_keyed_archiver_obj[root_name]
if isinstance(root, dict):
plist = {}
_recurse_create_plist(plist, root,
ns_keyed_archiver_obj.object_table)
if root_name.lower() != 'root':
plist = {root_name: plist}
elif isinstance(root, list):
plist = []
_recurse_create_plist(plist, root,
ns_keyed_archiver_obj.object_table)
if root_name.lower() != 'root':
plist = {root_name: plist}
else:
plist = {root_name: root}
if len(root_names) == 1:
top_level = plist
else: # > 1
top_level.append(plist)
return top_level
def ParseSFL(MRUFile):
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
plist_objects = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True)
try:
if plist_objects["root"]["NS.objects"][1]["NS.keys"][0] == "com.apple.LSSharedFileList.MaxAmount":
numberOfItems = plist_objects["root"]["NS.objects"][1]["NS.objects"][0]
print "Max number of recent items in this plist: " + str(numberOfItems)
except:
pass
if plist_objects["root"]["NS.keys"][2] == "items":
items = plist_objects["root"]["NS.objects"][2]["NS.objects"]
for n,item in enumerate(items):
try:
name = item["name"]
except:
name = "No 'name' Key"
print" [Item Number: " + str(n) + " | Order: " + str(item["order"]) + "] Name:'" + name + "' (URL:'" + item["URL"]['NS.relative'] + "')"
#UNCOMMENT FOR UNIQUE IDENTIFIER HEXDUMP
#print "----------------------------------------------------------------------------"
#print "Hexdump of Unique Identifier: "
#print hexdump.hexdump(item["uniqueIdentifier"]["NS.uuidbytes"])
#print "----------------------------------------------------------------------------"
if "LSSharedFileList.RecentHosts" not in MRUFile:
blob = item["bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print "Cannot open file: " + MRUFile
def ParseSidebarlistsPlist(MRUFile):
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
print "Parsing 'systemitems' Key (Only --blob_hex works)"
print "Item number has no bearing upon time of usage."
try:
for n,item in enumerate(plist["systemitems"]['VolumesList']):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "' EntryType: " + str(item['EntryType'])
try:
print "\tSpecialID: " + str(item['SpecialID'])
except:
pass
try:
print "\tVisibility: " + str(item['Visibility'])
except:
pass
try:
print "\tFlags: " + str(item['Flags'])
except:
pass
try:
blob = plist["systemitems"]['VolumesList'][n]['Alias']
#BLOBParser_raw(blob)
#BLOBParser_human(blob)
BLOB_hex(blob)
except:
pass
except:
pass
print "Parsing 'favorites' Key (Only --blob_hex works)"
print "Item number has no bearing upon time of usage."
try:
for n,item in enumerate(plist["favorites"]['VolumesList']):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "' EntryType: " + str(item['EntryType'])
try:
print "\tSpecialID: " + str(item['SpecialID'])
except:
pass
try:
print "\tVisibility: " + str(item['Visibility'])
except:
pass
try:
print "\tFlags: " + str(item['Flags'])
except:
pass
try:
blob = plist["systemitems"]['VolumesList'][n]['Alias']
#BLOBParser_raw(blob)
#BLOBParser_human(blob)
BLOB_hex(blob)
except:
pass
except:
pass
except:
print "Cannot open file: " + MRUFile
def ParseMSOffice2011Plist(MRUFile):
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
def FunkyMSTime(raw_accessdate):
global accessdate
thebytes = raw_accessdate.encode("hex")[4:12]
macosts = int(
"".join(
reversed([
thebytes[i:i + 2] for i in range(0, len(thebytes), 2)
])), 16)
epochtime = gmtime(macosts - 2082844800)
accessdate = strftime("%m-%d-%Y %H:%M:%S", epochtime)
except:
print "Cannot open file: " + MRUFile
try:
print "Microsoft Word MRUs: (Use --blob_parse_human or --blob_parse_raw for file paths in BLOBs.)"
try:
for n, item in enumerate(plist["14\File MRU\MSWD"]):
raw_accessdate = item["Access Date"]
FunkyMSTime(raw_accessdate)
print " [Item Number: " + str(
n) + "] - Access Date (UTC): " + accessdate + ""
blob = item["File Alias"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print " No key for 14\File MRU\MSWD"
except:
pass
try:
print "Microsoft Excel MRUs: (Use --blob_parse_human or --blob_parse_raw for file paths in BLOBs.)"
try:
for n, item in enumerate(plist["14\File MRU\XCEL"]):
raw_accessdate = item["Access Date"]
FunkyMSTime(raw_accessdate)
print " [Item Number: " + str(
n) + "] - Access Date (UTC): " + accessdate + ""
blob = item["File Alias"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print " No key for 14\File MRU\XCEL"
except:
pass
try:
print "Microsoft Powerpoint MRUs: (Use --blob_parse_human or --blob_parse_raw for file paths in BLOBs.)"
try:
for n, item in enumerate(plist["14\File MRU\PPT3"]):
raw_accessdate = item["Access Date"]
FunkyMSTime(raw_accessdate)
print " [Item Number: " + str(
n) + "] - Access Date (UTC): " + accessdate + ""
blob = item["File Alias"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print " No key for 14\File MRU\PPT3"
except:
pass
"""
# This example parses the "IconState.plist" file from an iOS device detailing
# the apps displayed on the Springboard homescreen.
import sys
import ccl_bplist
# Open the file specified at the command line
# ccl_bplist expects to see a binary stream, we'll also make it read-only
# hence the "rb" in our arguments.
f = open(sys.argv[1], "rb")
# Pass the file object to the "load" function in ccl_bplist. This gives us
# a python object representing the contents of the file.
plist = ccl_bplist.load(f)
# The IconState file's top level is a dictionary, and we're interested in
# the key "iconLists". This contains an array of arrays (each inner array
# representing a screen in the Springboard).
screens = plist["iconLists"]
# We can iterate through these screens in a for-loop
for screen in screens:
# the variable "screen" will be an array containing both strings
# (denothing apps placed directly on the homescreen) and dictionaries
# (which are folders on the homescreen). We can again iterate through
# these elements in a for-loop
for homescreen_element in screen:
# Check if the element is a string - if so we can just print out
# the name of the App, else if it's a dictionary we have to handle
def ParseRecentItemsPlist(MRUFile):
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
try:
print "Recent Applications (Max number of recent items in this key: " + str(
plist["RecentApplications"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n, item in enumerate(
plist["RecentApplications"]["CustomListItems"]):
print " [Item Number: " + str(
n) + "] '" + item["Name"] + "'"
blob = item["Bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print "No Recent Applications"
try:
print "Recent Documents (Max number of recent items in this key: " + str(
plist["RecentDocuments"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n, item in enumerate(
plist["RecentDocuments"]["CustomListItems"]):
print " [Item Number: " + str(
n) + "] '" + item["Name"] + "'"
blob = item["Bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print "No Recent Documents"
try:
print "Recent Servers (Max number of recent items in this key: " + str(
plist["RecentServers"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n, item in enumerate(
plist["RecentServers"]["CustomListItems"]):
print " [Item Number: " + str(
n) + "] '" + item["Name"] + "'"
blob = item["Bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print 'No Recent Servers'
try:
print "Recent Hosts (Max number of recent items in this key: " + str(
plist["Hosts"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n, item in enumerate(plist["Hosts"]["CustomListItems"]):
print " [Item Number: " + str(n) + "] '" + item[
"Name"] + "'" + " - URL: " + item["URL"] + "'"
except:
print "No Recent Hosts"
try:
print "Recent Applications (Legacy) (Max number of recent items in this key: " + str(
plist["pythonApplications"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n, item in enumerate(plist["Applications"]["CustomListItems"]):
print " [Item Number: " + str(
n) + "] '" + item["Name"] + "'"
blob = item["Alias"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print "No Recent Applications (Legacy)"
try:
print "Recent Documents (Legacy) (Max number of recent items in this key: " + str(
plist["Documents"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n, item in enumerate(plist["Documents"]["CustomListItems"]):
print " [Item Number: " + str(
n) + "] '" + item["Name"] + "'"
blob = item["Alias"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print "No Recent Documents (Legacy)"
try:
print "Recent Servers (Legacy) (Max number of recent items in this key: " + str(
plist["Servers"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n, item in enumerate(plist["Servers"]["CustomListItems"]):
print " [Item Number: " + str(
n) + "] '" + item["Name"] + "'"
blob = item["Alias"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print 'No Recent Servers (Legacy)'
except:
print "Cannot open file: " + MRUFile
def ParseRecentItemsPlist(MRUFile):
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
try:
print "Recent Applications (Max number of recent items in this key: " + str(plist["RecentApplications"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n,item in enumerate(plist["RecentApplications"]["CustomListItems"]):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "'"
blob = item["Bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print "No Recent Applications"
try:
print "Recent Documents (Max number of recent items in this key: " + str(plist["RecentDocuments"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n,item in enumerate(plist["RecentDocuments"]["CustomListItems"]):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "'"
blob = item["Bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print "No Recent Documents"
try:
print "Recent Servers (Max number of recent items in this key: " + str(plist["RecentServers"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n,item in enumerate(plist["RecentServers"]["CustomListItems"]):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "'"
blob = item["Bookmark"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print 'No Recent Servers'
try:
print "Recent Hosts (Max number of recent items in this key: " + str(plist["Hosts"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n,item in enumerate(plist["Hosts"]["CustomListItems"]):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" + " - URL: " + item["URL"] + "'"
except:
print "No Recent Hosts"
try:
print "Recent Applications (Legacy) (Max number of recent items in this key: " + str(plist["pythonApplications"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n,item in enumerate(plist["Applications"]["CustomListItems"]):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "'"
blob = item["Alias"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print "No Recent Applications (Legacy)"
try:
print "Recent Documents (Legacy) (Max number of recent items in this key: " + str(plist["Documents"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n,item in enumerate(plist["Documents"]["CustomListItems"]):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "'"
blob = item["Alias"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print "No Recent Documents (Legacy)"
try:
print "Recent Servers (Legacy) (Max number of recent items in this key: " + str(plist["Servers"]["MaxAmount"]) + ")"
print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
for n,item in enumerate(plist["Servers"]["CustomListItems"]):
print " [Item Number: " + str(n) + "] '" + item["Name"] + "'"
blob = item["Alias"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print 'No Recent Servers (Legacy)'
except:
print "Cannot open file: " + MRUFile
print('\tLevel : {}'.format(table.level))
print('\tOffset: {}'.format(table.offset))
print('\tCount : {}'.format(table.count))
for record in table.record:
print('\t\t===== Record =====')
print('\t\tType : {}'.format(record.type))
print('\t\tFlag : {}'.format(record.flag))
print('\t\tOffset: {}'.format(record.offset))
print('\t===== End of ToC =====')
parser = argparse.ArgumentParser(description='Parse bookmark data within plists')
parser.add_argument('plist_path', metavar='plist', type=str, nargs=1, help='specify path to plist file')
args = parser.parse_args()
raw_data = None
with open(args.plist_path[0], 'rb') as plist:
try:
pl = plistlib.load(plist)
except ValueError:
pl = ccl_bplist.load(plist)
try:
for item in pl["RecentDocuments"]["CustomListItems"]:
raw_data = item['Bookmark']
# _debug()
parse()
print('====================')
except KeyError:
pass
\n\tDependencies:\
\n\t\thexdump.py: https://pypi.python.org/pypi/hexdump\
\n\t\tccl_bplist.py: https://github.com/jorik041/ccl-bplist'
, prog='dump_freq_locs.py'
, formatter_class=RawTextHelpFormatter)
parser.add_argument('-output', choices=['k','c','e'], action="store", help="k=KML, c=CSV, e=EVERTHING")
parser.add_argument('State_Model_Plist_File')
args = parser.parse_args()
global output_type
output_type = None
statemodelfile = args.State_Model_Plist_File
plistfile = open(statemodelfile, "rb")
plist = ccl_bplist.load(plistfile)
plist_objects = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True)
objects = plist_objects["root"]["stateModelLut"]['NS.objects']
metadata_objects = plist["$top"]
meta_uids = plist_objects["root"]
if args.output == 'c' or args.output == 'e':
output_type = 'c'
with open('dump_freq_locs_output.csv', 'wb') as csvfile:
loccsv = csv.writer(csvfile, delimiter=',', quotechar='|', quoting=csv.QUOTE_MINIMAL)
loccsv.writerow(['Timestamp', 'Timestamp Type','Data Type', 'Latitude', 'Longitude', 'Other Data'])
getMetadata()
RTVisitMonitor()
getLocations()
def ParseMSOffice2011Plist(MRUFile):
try:
plistfile = open(MRUFile, "rb")
plist = ccl_bplist.load(plistfile)
print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]"
def FunkyMSTime(raw_accessdate):
global accessdate
thebytes = raw_accessdate.encode("hex")[4:12]
macosts = int("".join(reversed([thebytes[i:i+2] for i in range(0, len(thebytes), 2)])),16)
epochtime = gmtime(macosts - 2082844800)
accessdate = strftime("%m-%d-%Y %H:%M:%S", epochtime)
except:
print "Cannot open file: " + MRUFile
try:
print "Microsoft Word MRUs: (Use --blob_parse_human or --blob_parse_raw for file paths in BLOBs.)"
try:
for n,item in enumerate(plist["14\File MRU\MSWD"]):
raw_accessdate = item["Access Date"]
FunkyMSTime(raw_accessdate)
print " [Item Number: " + str(n) + "] - Access Date (UTC): " + accessdate + ""
blob = item["File Alias"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print " No key for 14\File MRU\MSWD"
except:
pass
try:
print "Microsoft Excel MRUs: (Use --blob_parse_human or --blob_parse_raw for file paths in BLOBs.)"
try:
for n,item in enumerate(plist["14\File MRU\XCEL"]):
raw_accessdate = item["Access Date"]
FunkyMSTime(raw_accessdate)
print " [Item Number: " + str(n) + "] - Access Date (UTC): " + accessdate + ""
blob = item["File Alias"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print " No key for 14\File MRU\XCEL"
except:
pass
try:
print "Microsoft Powerpoint MRUs: (Use --blob_parse_human or --blob_parse_raw for file paths in BLOBs.)"
try:
for n,item in enumerate(plist["14\File MRU\PPT3"]):
raw_accessdate = item["Access Date"]
FunkyMSTime(raw_accessdate)
print " [Item Number: " + str(n) + "] - Access Date (UTC): " + accessdate + ""
blob = item["File Alias"]
BLOBParser_raw(blob)
BLOBParser_human(blob)
BLOB_hex(blob)
except:
print " No key for 14\File MRU\PPT3"
except:
pass
def deserialize_plist(path_or_file):
'''
Returns a deserialized plist as a dictionary/list.
Parameters
----------
path_or_file:
Path or file-like object of an NSKeyedArchive file
Returns
-------
A dictionary or list is returned depending on contents of
the plist
Exceptions
----------
nska_deserialize.DeserializeError,
biplist.NotBinaryPlistException,
ccl_bplist.BplistError,
ValueError,
TypeError,
OSError,
OverflowError
'''
path = ''
f = None
if isinstance(path_or_file, str):
path = path_or_file
f = open(path, 'rb')
else: # its a file
f = path_or_file
f = _get_valid_nska_plist(f)
ccl_bplist.set_object_converter(
ccl_bplist.NSKeyedArchiver_common_objects_convertor)
plist = ccl_bplist.load(f)
ns_keyed_archiver_obj = ccl_bplist.deserialise_NsKeyedArchiver(
plist, parse_whole_structure=True)
root_names = _get_root_element_names(f)
top_level = []
for root_name in root_names:
root = ns_keyed_archiver_obj[root_name]
if isinstance(root, dict):
plist = {}
_recurse_create_plist(plist, root,
ns_keyed_archiver_obj.object_table)
if root_name.lower() != 'root':
plist = {root_name: plist}
elif isinstance(root, list):
plist = []
_recurse_create_plist(plist, root,
ns_keyed_archiver_obj.object_table)
if root_name.lower() != 'root':
plist = {root_name: plist}
else:
plist = {root_name: root}
if len(root_names) == 1:
top_level = plist
else: # > 1
top_level.append(plist)
return top_level
print('\t\tType : {}'.format(record.type))
print('\t\tFlag : {}'.format(record.flag))
print('\t\tOffset: {}'.format(record.offset))
print('\t===== End of ToC =====')
parser = argparse.ArgumentParser(
description='Parse bookmark data within plists')
parser.add_argument('plist_path',
metavar='plist',
type=str,
nargs=1,
help='specify path to plist file')
args = parser.parse_args()
raw_data = None
with open(args.plist_path[0], 'rb') as plist:
try:
pl = plistlib.load(plist)
except ValueError:
pl = ccl_bplist.load(plist)
try:
for item in pl["RecentDocuments"]["CustomListItems"]:
raw_data = item['Bookmark']
# _debug()
parse()
print('====================')
except KeyError:
pass
def read_bplist(file_location):
with open(file_location, 'rb') as fd:
plist_array = bplist.load(fd)
return [plist_array]
def read_stream_bplist(string):
w = buffer(string)
plist_array = bplist.load(io.BytesIO(w))
return plist_array