def decrypt_Metadata(item, df_meta): if item['keyclass'] >=6 : bplist = BytesIO(item['encryptedMetadata_wrappedKey']) plist = ccl_bplist.load(bplist) metaDataWrappedKeyDeserialized = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True) authCode = metaDataWrappedKeyDeserialized['root']['SFAuthenticationCode'] iv = metaDataWrappedKeyDeserialized['root']['SFInitializationVector'] ciphertext = metaDataWrappedKeyDeserialized['root']['SFCiphertext'] unwrapped_metadata_key = unwrap_key( df_meta[df_meta.keyclass == int(item['keyclass'])].iloc[0].data, item['keyclass'] ) gcm = AES.new(unhexlify(unwrapped_metadata_key)[:32], AES.MODE_GCM, iv) metadata_key = gcm.decrypt_and_verify(ciphertext, authCode) bplist = BytesIO(item['encryptedMetadata_ciphertext']) plist = ccl_bplist.load(bplist) metaDataDeserialized = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True) authCode = metaDataDeserialized['root']['SFAuthenticationCode'] iv = metaDataDeserialized['root']['SFInitializationVector'] ciphertext = metaDataDeserialized['root']['SFCiphertext'] gcm = AES.new(metadata_key[:32], AES.MODE_GCM, iv) decrypted = gcm.decrypt_and_verify(ciphertext, authCode) der_data = decode(decrypted)[0] item['decrypted'] = {} for k in der_data: if 'Octet' in str(type(k[1])): item['decrypted'][str(k[0])] = bytes(k[1]) else: item['decrypted'][str(k[0])] = str(k[1]) return item
def ParseSFL(MRUFile): plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) plist_objects = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True) if plist_objects["root"]["NS.objects"][1]["NS.keys"][0] == "com.apple.LSSharedFileList.MaxAmount": numberOfItems = plist_objects["root"]["NS.objects"][1]["NS.objects"][0] print "Max number of recent items in this plist: " + str(numberOfItems) if plist_objects["root"]["NS.keys"][2] == "items": items = plist_objects["root"]["NS.objects"][2]["NS.objects"] for n,item in enumerate(items): print" [Item Number: " + str(n) + " | Order: " + str(item["order"]) + "] Name:'" + item["name"] + "' (URL:'" + item["URL"]['NS.relative'] + "'')" #UNCOMMENT FOR UNIQUE IDENTIFIER HEXDUMP #print "----------------------------------------------------------------------------" #print "Hexdump of Unique Identifier: " #print hexdump.hexdump(item["uniqueIdentifier"]["NS.uuidbytes"]) #print "----------------------------------------------------------------------------" if args.blob == True: print "----------------------------------------------------------------------------" print "Hexdump of Bookmark BLOB: " hexdump_blob = hexdump.hexdump(item["bookmark"]) print hexdump_blob print "----------------------------------------------------------------------------"
def ParseFinderPlist(MRUFile): try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" try: for n, item in enumerate(plist["FXRecentFolders"]): print " [Item Number: " + str( n) + "] '" + item["name"] + "'" try: blob = item["file-bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: pass try: blob = item["file-data"]["_CFURLAliasData"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: pass except: pass except: print "Cannot open file: " + MRUFile
def ParseSFL2(MRUFile): itemsLinkList = [] try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) plistfile.close() plist_objects = ccl_bplist.deserialise_NsKeyedArchiver( plist, parse_whole_structure=True) if plist_objects["root"]["NS.keys"][0] == "items": items = plist_objects["root"]["NS.objects"][0]["NS.objects"] for n, item in enumerate(items): attribute_keys = plist_objects["root"]["NS.objects"][0][ "NS.objects"][n]["NS.keys"] attribute_values = plist_objects["root"]["NS.objects"][0][ "NS.objects"][n]["NS.objects"] attributes = dict(zip(attribute_keys, attribute_values)) if "Bookmark" in attributes: if isinstance(attributes["Bookmark"], str): itemLink = BLOBParser_human(attributes["Bookmark"]) else: itemLink = BLOBParser_human( attributes["Bookmark"]['NS.data']) itemsLinkList.append(itemLink) return itemsLinkList except Exception as e: print e
def read_cachefile(_bib): """Read BibDesk cache file into Python dict""" bib_path = os.path.join(BIB_DIR, _bib) with open(bib_path, 'rb') as _file: bib_data = ccl_bplist.load(_file) _file.close() return bib_data
def ParseFinderPlist(MRUFile): try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) print("Parsing FXRecentFolders Key") print("[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]") try: for n, item in enumerate(plist["FXRecentFolders"]): print(" [Item Number: " + str(n) + "] '" + item["name"] + "'") try: blob = item["file-bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: pass try: blob = item["file-data"]["_CFURLAliasData"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: pass except: pass print("\nParsing FXDesktopVolumePositions Key") print("Item number has no bearing upon time of usage.") try: for n, item in enumerate(plist["FXDesktopVolumePositions"]): item_split = item.split('_0x') if len(item_split) == 1: item_split = item.split('_-0x') item_timestamp = "-0x" + item_split[1] else: item_timestamp = "0x" + item_split[1] if float.fromhex(item_timestamp) > 0: volume_creation = gmtime( int(float.fromhex(item_timestamp) + 978307200)) volume_creation_ts = strftime("%m-%d-%Y %H:%M:%S", volume_creation) print(" [Item Number: " + str(n) + "] Volume Created: " + volume_creation_ts + " Volume Name: '" + item_split[0] + "'\tOriginal Key: '" + item + "'") else: print(" [Item Number: " + str(n) + "] Volume Created: None\t\t Volume Name: '" + item_split[0] + "'\tOriginal Key: '" + item + "'") except: pass except: print("Cannot open file: " + MRUFile)
def get_login_items_entries(btm_file): with open(btm_file, 'rb') as fp: plist = ccl_bplist.load(fp) ns_keyed_archiver_obj = ccl_bplist.deserialise_NsKeyedArchiver( plist, parse_whole_structure=True) ccl_bplist.set_object_converter( ccl_bplist.NSKeyedArchiver_common_objects_convertor) return ns_keyed_archiver_obj['root']['backgroundItems'][ 'allContainers']
def ParseSFL2_FavoriteVolumes(MRUFile): try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) plist_objects = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True) print "Item number has no bearing upon time of usage." print "Plist Properties:" if plist_objects["root"]["NS.keys"][1] == "properties": properties_keys = plist_objects["root"]["NS.objects"][1]["NS.keys"] properties_values = plist_objects["root"]["NS.objects"][1]["NS.objects"] properties = dict(zip(properties_keys,properties_values)) for key in properties: print " " + key + ": " + str(properties[key]) if plist_objects["root"]["NS.keys"][0] == "items": items = plist_objects["root"]["NS.objects"][0]["NS.objects"] for n,item in enumerate(items): attribute_keys = plist_objects["root"]["NS.objects"][0]["NS.objects"][n]["NS.keys"] attribute_values = plist_objects["root"]["NS.objects"][0]["NS.objects"][n]["NS.objects"] attributes = dict(zip(attribute_keys,attribute_values)) try: uuid = attributes["uuid"] except: uuid = "No 'UUID' Attribute" try: visability = str(attributes["visibility"]) except: visability = "No 'Visability' Attribute" try: name = attributes["Name"] except: name = "No 'Name' Attribute (Use BLOB parser for name)" print "\n [Item Number: " + str(n) + " | (UUID:'" + uuid + "') | Visibility: " + visability + "] Name: '" + name + "'" if attributes["CustomItemProperties"]: CIP_keys = plist_objects["root"]["NS.objects"][0]["NS.objects"][n]["NS.objects"][1]["NS.keys"] CIP_values = plist_objects["root"]["NS.objects"][0]["NS.objects"][n]["NS.objects"][1]["NS.objects"] CIP_attributes = dict(zip(CIP_keys,CIP_values)) print "\tCustomItemProperties:" for key in CIP_attributes: print "\t " + key + ": " + str(CIP_attributes[key]) if "LSSharedFileList.RecentHosts" not in MRUFile: blob = attributes["Bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print "Cannot open file: " + MRUFile
def read_cachedir(): """Read BibDesk cache dir into Python array""" _data = [] for bib in os.listdir(BIB_DIR): bib_path = os.path.join(BIB_DIR, bib) with open(bib_path, 'rb') as _file: bib_data = ccl_bplist.load(_file) _file.close() _data.append(bib_data) return _data
def ParseSFL2(MRUFile): try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) plist_objects = ccl_bplist.deserialise_NsKeyedArchiver( plist, parse_whole_structure=True) try: if plist_objects["root"]["NS.objects"][1]["NS.keys"][ 0] == "com.apple.LSSharedFileList.MaxAmount": numberOfItems = plist_objects["root"]["NS.objects"][1][ "NS.objects"][0] print("Max number of recent items in this plist: " + str(numberOfItems)) except: pass if plist_objects["root"]["NS.keys"][0] == "items": items = plist_objects["root"]["NS.objects"][0]["NS.objects"] for n, item in enumerate(items): attribute_keys = plist_objects["root"]["NS.objects"][0][ "NS.objects"][n]["NS.keys"] attribute_values = plist_objects["root"]["NS.objects"][0][ "NS.objects"][n]["NS.objects"] attributes = dict(list(zip(attribute_keys, attribute_values))) try: uuid = attributes["uuid"] except: uuid = "No 'UUID' Attribute" try: visability = str(attributes["visibility"]) except: visability = "No 'Visability' Attribute" try: name = attributes["Name"] except: name = "No 'Name' Attribute (Use BLOB parser for name)" print(" [Item Number: " + str(n) + " | (UUID:'" + uuid + "') | Visibility: " + visability + "] Name:'" + name + "'") # Unknown "CustomItemProperties" - Only seen blank, uncomment to see details. # print attributes["CustomItemProperties"] if "LSSharedFileList.RecentHosts" not in MRUFile: blob = attributes["Bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print("Cannot open file: " + MRUFile)
def decodeDrummersPlist(data): pl = ccl_bplist.load(data) rootID = UIDtoInt(pl['$top']['root']) root = nodeToDict(pl['$objects'][rootID], pl['$objects']) baseModel = nodeToDict(root['genInstDrummerBaseModel.state'], pl['$objects']) drummers = nodeToDict(baseModel['drummerModelTrackStates'], pl['$objects']) result = [] for k, v in drummers.items(): drummerInfo = nodeToDict(v, pl['$objects']) result.append(drummerInfo['selectedCharacterIdentifier']) return result
def get_size(self): """ Reads file_meta plist and returns reported file size :return: """ if self.file_meta[:2] == b'bp': file_meta_plist = ccl_bplist.load(BytesIO(self.file_meta)) size = file_meta_plist['$objects'][1]['Size'] return size else: file_meta_plist = plistlib.loads(self.file_meta) return file_meta_plist['size']
def ParseFinderPlist(MRUFile): plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n,item in enumerate(plist["FXRecentFolders"]): print " [Item Number: " + str(n) + "] '" + item["name"] + "'" if args.blob == True: print "----------------------------------------------------------------------------" print "Hexdump of Bookmark BLOB: " print hexdump.hexdump(item["file-bookmark"]) print "----------------------------------------------------------------------------"
def ParseLSSharedFileListPlist(MRUFile): try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) print "Max number of recent items in this plist:: " + str(plist["RecentDocuments"]["MaxAmount"]) print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n,item in enumerate(plist["RecentDocuments"]["CustomListItems"]): print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" blob = item["Bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print "Cannot open file: " + MRUFile
def get_mod_time(self): """ Reads file_meta plist and returns modified date :return: """ if self.file_meta[:2] == b'bp': file_meta_plist = ccl_bplist.load(BytesIO(self.file_meta)) raw_date_time = file_meta_plist['$objects'][1]['LastModified'] converted_time = datetime.datetime.fromtimestamp(raw_date_time) converted_time = converted_time.timetuple() return converted_time else: file_meta_plist = plistlib.loads(self.file_meta) return file_meta_plist['modified'].timetuple()
def ParseLSShardFileListPlist(MRUFile): try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) print "Max number of recent items in this plist:: " + str( plist["RecentDocuments"]["MaxAmount"]) print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n, item in enumerate(plist["RecentDocuments"]["CustomListItems"]): print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" blob = item["Bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print "Cannot open file: " + MRUFile
def ParseLSShardFileListPlist(MRUFile): plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) print "Max number of recent items in this plist:: " + str(plist["RecentDocuments"]["MaxAmount"]) print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n,item in enumerate(plist["RecentDocuments"]["CustomListItems"]): print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" if args.blob == True: print "----------------------------------------------------------------------------" print "Hexdump of Bookmark BLOB: " print hexdump.hexdump(item["Bookmark"]) print "----------------------------------------------------------------------------"
def main(): parser = argparse.ArgumentParser( description= "NeXTSTEP Interface Builder (NIB) file parser prints a list of all connections defined in a NIB file" ) parser.add_argument('nibfile', help='path to a NIB file') args = parser.parse_args() with open(args.nibfile, "rb") as rp: plist = ccl_bplist.load(rp) nib = ccl_bplist.deserialise_NsKeyedArchiver(plist) ibcons = nib['IB.objectdata']['NSConnections']['NS.objects'] for i in range(len(ibcons)): if 'NSLabel' not in ibcons[i]: continue lbl = ibcons[i]['NSLabel'] id = dict(nib['IB.objectdata']['NSConnections'])['NS.objects'][i].value sname = "NA" srcid = "NA" dname = "NA" dstid = "NA" if 'NSSource' in ibcons[i]: srcid = dict(ibcons[i])['NSSource'].value src = ibcons[i]['NSSource'] sname = getClassName(src) scontents = getContents(src) if 'NSDestination' in ibcons[i]: dstid = dict(ibcons[i])['NSDestination'].value dst = ibcons[i]['NSDestination'] dname = getClassName(dst) dcontents = getContents(dst) out = "%d: %s (%s) - %s " % (i, lbl, id, sname) if scontents: out += "[%s] " % scontents out += "(%s) ---> %s " % (srcid, dname) if dcontents: out += "[%s] " % dcontents out += "(%s)" % dstid print(out.encode("utf-8"))
def ParseSFL2(MRUFile): try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) plist_objects = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True) try: if plist_objects["root"]["NS.objects"][1]["NS.keys"][0] == "com.apple.LSSharedFileList.MaxAmount": numberOfItems = plist_objects["root"]["NS.objects"][1]["NS.objects"][0] print "Max number of recent items in this plist: " + str(numberOfItems) except: pass if plist_objects["root"]["NS.keys"][0] == "items": items = plist_objects["root"]["NS.objects"][0]["NS.objects"] for n,item in enumerate(items): attribute_keys = plist_objects["root"]["NS.objects"][0]["NS.objects"][n]["NS.keys"] attribute_values = plist_objects["root"]["NS.objects"][0]["NS.objects"][n]["NS.objects"] attributes = dict(zip(attribute_keys,attribute_values)) try: uuid = attributes["uuid"] except: uuid = "No 'UUID' Attribute" try: visability = str(attributes["visibility"]) except: visability = "No 'Visability' Attribute" try: name = attributes["Name"] except: name = "No 'Name' Attribute (Use BLOB parser for name)" print " [Item Number: " + str(n) + " | (UUID:'" + uuid + "') | Visibility: " + visability + "] Name:'" + name + "'" #Unknown "CustomItemProperties" - Only seen blank, uncomment to see details. #print attributes["CustomItemProperties"] if "LSSharedFileList.RecentHosts" not in MRUFile: blob = attributes["Bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print "Cannot open file: " + MRUFile
def process_nsa_plist(input_path, f): '''Returns a deserialized plist. Input is NSKeyedArchive file. input_path field is not used''' global use_as_library try: if not use_as_library: print('Reading file .. ' + input_path) f = extract_nsa_plist(f) ccl_bplist.set_object_converter( ccl_bplist.NSKeyedArchiver_common_objects_convertor) plist = ccl_bplist.load(f) ns_keyed_archiver_obj = ccl_bplist.deserialise_NsKeyedArchiver( plist, parse_whole_structure=True) root_names = getRootElementNames(f) top_level = [] for root_name in root_names: root = ns_keyed_archiver_obj[root_name] if not use_as_library: print('Trying to deserialize binary plist $top = {}'.format( root_name)) if isinstance(root, dict): plist = {} recurseCreatePlist(plist, root, ns_keyed_archiver_obj.object_table) if root_name.lower() != 'root': plist = {root_name: plist} elif isinstance(root, list): plist = [] recurseCreatePlist(plist, root, ns_keyed_archiver_obj.object_table) if root_name.lower() != 'root': plist = {root_name: plist} else: plist = {root_name: root} if len(root_names) == 1: top_level = plist else: # > 1 top_level.append(plist) except Exception as ex: print('Had an exception (error)') traceback.print_exc() return top_level
def ParseFinderPlist(MRUFile): try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) print "Parsing FXRecentFolders Key" print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" try: for n,item in enumerate(plist["FXRecentFolders"]): print " [Item Number: " + str(n) + "] '" + item["name"] + "'" try: blob = item["file-bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: pass try: blob = item["file-data"]["_CFURLAliasData"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: pass except: pass print "\nParsing FXDesktopVolumePositions Key" print "Item number has no bearing upon time of usage." try: for n,item in enumerate(plist["FXDesktopVolumePositions"]): item_split = item.split('_0x') item_timestamp = "0x" + item_split[1] if float.fromhex(item_timestamp) > 0: volume_creation = gmtime(int(float.fromhex(item_timestamp) + 978307200)) volume_creation_ts = strftime("%m-%d-%Y %H:%M:%S", volume_creation) print " [Item Number: " + str(n) + "] Volume Created: " + volume_creation_ts+ " Volume Name: '" + item_split[0] + "'\tOriginal Key: '" + item + "'" else: print " [Item Number: " + str(n) + "] Volume Created: None\t\t Volume Name: '" + item_split[0] + "'\tOriginal Key: '" + item + "'" except: pass except: print "Cannot open file: " + MRUFile
def ParseFinderPlist(MRUFile): itemsLinkList = [] try: with open(MRUFile, "rb") as plistfile: plist = ccl_bplist.load(plistfile) for item in plist["FXRecentFolders"]: if "file-bookmark" in item: blob = item["file-bookmark"] elif "file-data" in item: blob = item["file-data"]["_CFURLAliasData"] itemLink = BLOBParser_human(blob) # exclude / path if itemLink == "/": continue itemsLinkList.append(itemLink) return itemsLinkList except Exception as e: print(e)
def DeserializeNSKeyedArchive(file_pointer): '''Pass an open file pointer (file must be opened as rb) and get a dict or list representation of the plist returned back ''' ccl_bplist.set_object_converter( ccl_bplist.NSKeyedArchiver_common_objects_convertor) plist = ccl_bplist.load(file_pointer) ns_keyed_archiver_obj = ccl_bplist.deserialise_NsKeyedArchiver( plist, parse_whole_structure=True) root = ns_keyed_archiver_obj['root'] if isinstance(root, dict): plist = {} else: plist = [] recurseCreatePlist(plist, root) return plist
def ParseSFL(MRUFile): itemsLinkList = [] try: with open(MRUFile, "rb") as plistfile: plist = ccl_bplist.load(plistfile) plist_objects = ccl_bplist.deserialise_NsKeyedArchiver( plist, parse_whole_structure=True) if plist_objects["root"]["NS.keys"][2] == "items": items = plist_objects["root"]["NS.objects"][2]["NS.objects"] for n, item in enumerate(items): # item["URL"]['NS.relative'] file:///xxx/xxx/xxx filePath = item["URL"]['NS.relative'][7:] # /xxx/xxx/xxx/ the last "/" make basename func not work if filePath[-1] == '/': filePath = filePath[:-1] itemsLinkList.append(filePath) return itemsLinkList except Exception as e: print(e)
def GetProfileInfo(f): profiles = [] ccl_bplist.set_object_converter(ccl_bplist.NSKeyedArchiver_common_objects_convertor) plist = ccl_bplist.load(f) ns_keyed_archiver_obj = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True) md = ns_keyed_archiver_obj['mapData'] for item in md: if md[item]['NSEntityName'] == 'MCX_Profile': profile_attribs = md[item]['NSAttributeValues'] attributes = [] attributes.append(profile_attribs[0]) # UUID if domain user, else name attributes.append(profile_attribs[1]) # user name attributes.append(profile_attribs[2]) # date first logged in (if domain user), else name # Not interpreting other attributes at this time! profiles.append(attributes) return profiles
def ParseSFL(MRUFile): try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) plist_objects = ccl_bplist.deserialise_NsKeyedArchiver( plist, parse_whole_structure=True) try: if plist_objects["root"]["NS.objects"][1]["NS.keys"][ 0] == "com.apple.LSSharedFileList.MaxAmount": numberOfItems = plist_objects["root"]["NS.objects"][1][ "NS.objects"][0] print "Max number of recent items in this plist: " + str( numberOfItems) except: pass if plist_objects["root"]["NS.keys"][2] == "items": items = plist_objects["root"]["NS.objects"][2]["NS.objects"] for n, item in enumerate(items): try: name = item["name"] except: name = "No 'name' Key" print " [Item Number: " + str(n) + " | Order: " + str( item["order"]) + "] Name:'" + name + "' (URL:'" + item[ "URL"]['NS.relative'] + "')" #UNCOMMENT FOR UNIQUE IDENTIFIER HEXDUMP #print "----------------------------------------------------------------------------" #print "Hexdump of Unique Identifier: " #print hexdump.hexdump(item["uniqueIdentifier"]["NS.uuidbytes"]) #print "----------------------------------------------------------------------------" if "LSSharedFileList.RecentHosts" not in MRUFile: blob = item["bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print "Cannot open file: " + MRUFile
def decrypt_secretData(item): if item['keyclass'] >=6 : unwrapped_key = unwrap_key(item['encryptedSecretData_wrappedKey'], item['keyclass']) bplist = BytesIO(item['encryptedSecretData_ciphertext']) plist = ccl_bplist.load(bplist) secretDataDeserialized = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True) authCode = secretDataDeserialized['root']['SFAuthenticationCode'] iv = secretDataDeserialized['root']['SFInitializationVector'] ciphertext = secretDataDeserialized['root']['SFCiphertext'] gcm = AES.new(unhexlify(unwrapped_key)[:32], AES.MODE_GCM, iv) decrypted = gcm.decrypt_and_verify(ciphertext, authCode) der_data = decode(decrypted)[0] for k in der_data: if 'Octet' in str(type(k[1])): item['decrypted'].update({str(k[0]) : bytes(k[1])}) else: item['decrypted'].update({str(k[0]) : str(k[1])}) return item
def ParseSFL2(MRUFile): itemsLinkList = [] try: with open(MRUFile, "rb") as plistfile: plist = ccl_bplist.load(plistfile) plist_objects = ccl_bplist.deserialise_NsKeyedArchiver( plist, parse_whole_structure=True) if plist_objects["root"]["NS.keys"][0] == "items": for item in plist_objects["root"]["NS.objects"][0]["NS.objects"]: attributes = dict(zip(item["NS.keys"], item["NS.objects"])) if "Bookmark" in attributes: if isinstance(attributes["Bookmark"], str): itemLink = BLOBParser_human(attributes["Bookmark"]) else: itemLink = BLOBParser_human( attributes["Bookmark"]['NS.data']) itemsLinkList.append(itemLink) return itemsLinkList except Exception as e: print e
def main(): global usage if sys.version_info.major == 2: print( 'ERROR-This will not work with python2. Please run again with python3!' ) return argc = len(sys.argv) if argc < 2 or sys.argv[1].lower() == '-h': print(usage) return input_path = sys.argv[1] if not os.path.exists(input_path): print('Error, file does not exist! Check file path!\r\n') print(usage) return # All OK, process the file now try: f = open(input_path, 'rb') print('Reading file .. ' + input_path) ccl_bplist.set_object_converter( ccl_bplist.NSKeyedArchiver_common_objects_convertor) plist = ccl_bplist.load(f) ns_keyed_archiver_obj = ccl_bplist.deserialise_NsKeyedArchiver( plist, parse_whole_structure=True) root = ns_keyed_archiver_obj['root'] print('Trying to deserialize binary plist ..') plist = {} recurseCreatePlist(plist, root) print('Writing it back out as .. ' + input_path + '_deserialized.plist') biplist.writePlist(plist, input_path + '_deserialized.plist') print('Done !') except Exception as ex: print('Had an exception (error)') traceback.print_exc()
def ParseRecentItemsPlist(MRUFile): plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) print "Recent Applications (Max number of recent items in this key: " + str(plist["RecentApplications"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n,item in enumerate(plist["RecentApplications"]["CustomListItems"]): print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" if args.blob == True: print "----------------------------------------------------------------------------" print "Hexdump of Bookmark BLOB: " print hexdump.hexdump(item["Bookmark"]) print "----------------------------------------------------------------------------" print "Recent Documents (Max number of recent items in this key: " + str(plist["RecentDocuments"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n,item in enumerate(plist["RecentDocuments"]["CustomListItems"]): print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" if args.blob == True: print "----------------------------------------------------------------------------" print "Hexdump of Bookmark BLOB: " print hexdump.hexdump(item["Bookmark"]) print "----------------------------------------------------------------------------" print "Recent Servers (Max number of recent items in this key: " + str(plist["RecentServers"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n,item in enumerate(plist["RecentServers"]["CustomListItems"]): print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" if args.blob == True: print "----------------------------------------------------------------------------" print "Hexdump of Bookmark BLOB: " print hexdump.hexdump(item["Bookmark"]) print "----------------------------------------------------------------------------" print "Recent Hosts (Max number of recent items in this key: " + str(plist["Hosts"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n,item in enumerate(plist["Hosts"]["CustomListItems"]): print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" + " - URL: " + item["URL"] + "'"
def ParseFinderPlist(MRUFile): itemsLinkList = [] try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) plistfile.close() # print "Parsing FXRecentFolders Key" # print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n, item in enumerate(plist["FXRecentFolders"]): # print " [Item Number: " + str(n) + "] '" + item["name"] + "'" # print item.keys() if "file-bookmark" in item: blob = item["file-bookmark"] elif "file-data" in item: blob = item["file-data"]["_CFURLAliasData"] itemLink = BLOBParser_human(blob) # exclude / path if itemLink == "/": continue itemsLinkList.append(itemLink) return itemsLinkList except Exception as e: print e
def _unpack_top_level(f, plist_biplist_obj): '''Does the work to actually unpack the NSKeyedArchive's top level. Returns the top level object. ''' ccl_bplist.set_object_converter( ccl_bplist.NSKeyedArchiver_common_objects_convertor) plist = ccl_bplist.load(f) ns_keyed_archiver_obj = ccl_bplist.deserialise_NsKeyedArchiver( plist, parse_whole_structure=True) root_names = _get_root_element_names(plist_biplist_obj) top_level = [] for root_name in root_names: root = ns_keyed_archiver_obj[root_name] if isinstance(root, dict): plist = {} _recurse_create_plist(plist, root, ns_keyed_archiver_obj.object_table) if root_name.lower() != 'root': plist = {root_name: plist} elif isinstance(root, list): plist = [] _recurse_create_plist(plist, root, ns_keyed_archiver_obj.object_table) if root_name.lower() != 'root': plist = {root_name: plist} else: plist = {root_name: root} if len(root_names) == 1: top_level = plist else: # > 1 top_level.append(plist) return top_level
def ParseSFL(MRUFile): try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) plist_objects = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True) try: if plist_objects["root"]["NS.objects"][1]["NS.keys"][0] == "com.apple.LSSharedFileList.MaxAmount": numberOfItems = plist_objects["root"]["NS.objects"][1]["NS.objects"][0] print "Max number of recent items in this plist: " + str(numberOfItems) except: pass if plist_objects["root"]["NS.keys"][2] == "items": items = plist_objects["root"]["NS.objects"][2]["NS.objects"] for n,item in enumerate(items): try: name = item["name"] except: name = "No 'name' Key" print" [Item Number: " + str(n) + " | Order: " + str(item["order"]) + "] Name:'" + name + "' (URL:'" + item["URL"]['NS.relative'] + "')" #UNCOMMENT FOR UNIQUE IDENTIFIER HEXDUMP #print "----------------------------------------------------------------------------" #print "Hexdump of Unique Identifier: " #print hexdump.hexdump(item["uniqueIdentifier"]["NS.uuidbytes"]) #print "----------------------------------------------------------------------------" if "LSSharedFileList.RecentHosts" not in MRUFile: blob = item["bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print "Cannot open file: " + MRUFile
def ParseSidebarlistsPlist(MRUFile): try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) print "Parsing 'systemitems' Key (Only --blob_hex works)" print "Item number has no bearing upon time of usage." try: for n,item in enumerate(plist["systemitems"]['VolumesList']): print " [Item Number: " + str(n) + "] '" + item["Name"] + "' EntryType: " + str(item['EntryType']) try: print "\tSpecialID: " + str(item['SpecialID']) except: pass try: print "\tVisibility: " + str(item['Visibility']) except: pass try: print "\tFlags: " + str(item['Flags']) except: pass try: blob = plist["systemitems"]['VolumesList'][n]['Alias'] #BLOBParser_raw(blob) #BLOBParser_human(blob) BLOB_hex(blob) except: pass except: pass print "Parsing 'favorites' Key (Only --blob_hex works)" print "Item number has no bearing upon time of usage." try: for n,item in enumerate(plist["favorites"]['VolumesList']): print " [Item Number: " + str(n) + "] '" + item["Name"] + "' EntryType: " + str(item['EntryType']) try: print "\tSpecialID: " + str(item['SpecialID']) except: pass try: print "\tVisibility: " + str(item['Visibility']) except: pass try: print "\tFlags: " + str(item['Flags']) except: pass try: blob = plist["systemitems"]['VolumesList'][n]['Alias'] #BLOBParser_raw(blob) #BLOBParser_human(blob) BLOB_hex(blob) except: pass except: pass except: print "Cannot open file: " + MRUFile
def ParseMSOffice2011Plist(MRUFile): try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" def FunkyMSTime(raw_accessdate): global accessdate thebytes = raw_accessdate.encode("hex")[4:12] macosts = int( "".join( reversed([ thebytes[i:i + 2] for i in range(0, len(thebytes), 2) ])), 16) epochtime = gmtime(macosts - 2082844800) accessdate = strftime("%m-%d-%Y %H:%M:%S", epochtime) except: print "Cannot open file: " + MRUFile try: print "Microsoft Word MRUs: (Use --blob_parse_human or --blob_parse_raw for file paths in BLOBs.)" try: for n, item in enumerate(plist["14\File MRU\MSWD"]): raw_accessdate = item["Access Date"] FunkyMSTime(raw_accessdate) print " [Item Number: " + str( n) + "] - Access Date (UTC): " + accessdate + "" blob = item["File Alias"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print " No key for 14\File MRU\MSWD" except: pass try: print "Microsoft Excel MRUs: (Use --blob_parse_human or --blob_parse_raw for file paths in BLOBs.)" try: for n, item in enumerate(plist["14\File MRU\XCEL"]): raw_accessdate = item["Access Date"] FunkyMSTime(raw_accessdate) print " [Item Number: " + str( n) + "] - Access Date (UTC): " + accessdate + "" blob = item["File Alias"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print " No key for 14\File MRU\XCEL" except: pass try: print "Microsoft Powerpoint MRUs: (Use --blob_parse_human or --blob_parse_raw for file paths in BLOBs.)" try: for n, item in enumerate(plist["14\File MRU\PPT3"]): raw_accessdate = item["Access Date"] FunkyMSTime(raw_accessdate) print " [Item Number: " + str( n) + "] - Access Date (UTC): " + accessdate + "" blob = item["File Alias"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print " No key for 14\File MRU\PPT3" except: pass
""" # This example parses the "IconState.plist" file from an iOS device detailing # the apps displayed on the Springboard homescreen. import sys import ccl_bplist # Open the file specified at the command line # ccl_bplist expects to see a binary stream, we'll also make it read-only # hence the "rb" in our arguments. f = open(sys.argv[1], "rb") # Pass the file object to the "load" function in ccl_bplist. This gives us # a python object representing the contents of the file. plist = ccl_bplist.load(f) # The IconState file's top level is a dictionary, and we're interested in # the key "iconLists". This contains an array of arrays (each inner array # representing a screen in the Springboard). screens = plist["iconLists"] # We can iterate through these screens in a for-loop for screen in screens: # the variable "screen" will be an array containing both strings # (denothing apps placed directly on the homescreen) and dictionaries # (which are folders on the homescreen). We can again iterate through # these elements in a for-loop for homescreen_element in screen: # Check if the element is a string - if so we can just print out # the name of the App, else if it's a dictionary we have to handle
def ParseRecentItemsPlist(MRUFile): try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) try: print "Recent Applications (Max number of recent items in this key: " + str( plist["RecentApplications"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n, item in enumerate( plist["RecentApplications"]["CustomListItems"]): print " [Item Number: " + str( n) + "] '" + item["Name"] + "'" blob = item["Bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print "No Recent Applications" try: print "Recent Documents (Max number of recent items in this key: " + str( plist["RecentDocuments"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n, item in enumerate( plist["RecentDocuments"]["CustomListItems"]): print " [Item Number: " + str( n) + "] '" + item["Name"] + "'" blob = item["Bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print "No Recent Documents" try: print "Recent Servers (Max number of recent items in this key: " + str( plist["RecentServers"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n, item in enumerate( plist["RecentServers"]["CustomListItems"]): print " [Item Number: " + str( n) + "] '" + item["Name"] + "'" blob = item["Bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print 'No Recent Servers' try: print "Recent Hosts (Max number of recent items in this key: " + str( plist["Hosts"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n, item in enumerate(plist["Hosts"]["CustomListItems"]): print " [Item Number: " + str(n) + "] '" + item[ "Name"] + "'" + " - URL: " + item["URL"] + "'" except: print "No Recent Hosts" try: print "Recent Applications (Legacy) (Max number of recent items in this key: " + str( plist["pythonApplications"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n, item in enumerate(plist["Applications"]["CustomListItems"]): print " [Item Number: " + str( n) + "] '" + item["Name"] + "'" blob = item["Alias"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print "No Recent Applications (Legacy)" try: print "Recent Documents (Legacy) (Max number of recent items in this key: " + str( plist["Documents"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n, item in enumerate(plist["Documents"]["CustomListItems"]): print " [Item Number: " + str( n) + "] '" + item["Name"] + "'" blob = item["Alias"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print "No Recent Documents (Legacy)" try: print "Recent Servers (Legacy) (Max number of recent items in this key: " + str( plist["Servers"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n, item in enumerate(plist["Servers"]["CustomListItems"]): print " [Item Number: " + str( n) + "] '" + item["Name"] + "'" blob = item["Alias"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print 'No Recent Servers (Legacy)' except: print "Cannot open file: " + MRUFile
def ParseRecentItemsPlist(MRUFile): try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) try: print "Recent Applications (Max number of recent items in this key: " + str(plist["RecentApplications"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n,item in enumerate(plist["RecentApplications"]["CustomListItems"]): print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" blob = item["Bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print "No Recent Applications" try: print "Recent Documents (Max number of recent items in this key: " + str(plist["RecentDocuments"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n,item in enumerate(plist["RecentDocuments"]["CustomListItems"]): print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" blob = item["Bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print "No Recent Documents" try: print "Recent Servers (Max number of recent items in this key: " + str(plist["RecentServers"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n,item in enumerate(plist["RecentServers"]["CustomListItems"]): print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" blob = item["Bookmark"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print 'No Recent Servers' try: print "Recent Hosts (Max number of recent items in this key: " + str(plist["Hosts"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n,item in enumerate(plist["Hosts"]["CustomListItems"]): print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" + " - URL: " + item["URL"] + "'" except: print "No Recent Hosts" try: print "Recent Applications (Legacy) (Max number of recent items in this key: " + str(plist["pythonApplications"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n,item in enumerate(plist["Applications"]["CustomListItems"]): print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" blob = item["Alias"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print "No Recent Applications (Legacy)" try: print "Recent Documents (Legacy) (Max number of recent items in this key: " + str(plist["Documents"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n,item in enumerate(plist["Documents"]["CustomListItems"]): print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" blob = item["Alias"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print "No Recent Documents (Legacy)" try: print "Recent Servers (Legacy) (Max number of recent items in this key: " + str(plist["Servers"]["MaxAmount"]) + ")" print "MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" for n,item in enumerate(plist["Servers"]["CustomListItems"]): print " [Item Number: " + str(n) + "] '" + item["Name"] + "'" blob = item["Alias"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print 'No Recent Servers (Legacy)' except: print "Cannot open file: " + MRUFile
print('\tLevel : {}'.format(table.level)) print('\tOffset: {}'.format(table.offset)) print('\tCount : {}'.format(table.count)) for record in table.record: print('\t\t===== Record =====') print('\t\tType : {}'.format(record.type)) print('\t\tFlag : {}'.format(record.flag)) print('\t\tOffset: {}'.format(record.offset)) print('\t===== End of ToC =====') parser = argparse.ArgumentParser(description='Parse bookmark data within plists') parser.add_argument('plist_path', metavar='plist', type=str, nargs=1, help='specify path to plist file') args = parser.parse_args() raw_data = None with open(args.plist_path[0], 'rb') as plist: try: pl = plistlib.load(plist) except ValueError: pl = ccl_bplist.load(plist) try: for item in pl["RecentDocuments"]["CustomListItems"]: raw_data = item['Bookmark'] # _debug() parse() print('====================') except KeyError: pass
\n\tDependencies:\ \n\t\thexdump.py: https://pypi.python.org/pypi/hexdump\ \n\t\tccl_bplist.py: https://github.com/jorik041/ccl-bplist' , prog='dump_freq_locs.py' , formatter_class=RawTextHelpFormatter) parser.add_argument('-output', choices=['k','c','e'], action="store", help="k=KML, c=CSV, e=EVERTHING") parser.add_argument('State_Model_Plist_File') args = parser.parse_args() global output_type output_type = None statemodelfile = args.State_Model_Plist_File plistfile = open(statemodelfile, "rb") plist = ccl_bplist.load(plistfile) plist_objects = ccl_bplist.deserialise_NsKeyedArchiver(plist, parse_whole_structure=True) objects = plist_objects["root"]["stateModelLut"]['NS.objects'] metadata_objects = plist["$top"] meta_uids = plist_objects["root"] if args.output == 'c' or args.output == 'e': output_type = 'c' with open('dump_freq_locs_output.csv', 'wb') as csvfile: loccsv = csv.writer(csvfile, delimiter=',', quotechar='|', quoting=csv.QUOTE_MINIMAL) loccsv.writerow(['Timestamp', 'Timestamp Type','Data Type', 'Latitude', 'Longitude', 'Other Data']) getMetadata() RTVisitMonitor() getLocations()
def ParseMSOffice2011Plist(MRUFile): try: plistfile = open(MRUFile, "rb") plist = ccl_bplist.load(plistfile) print "[MRUs are listed from Newest to Oldest (ie: Item 0 - Item 9)]" def FunkyMSTime(raw_accessdate): global accessdate thebytes = raw_accessdate.encode("hex")[4:12] macosts = int("".join(reversed([thebytes[i:i+2] for i in range(0, len(thebytes), 2)])),16) epochtime = gmtime(macosts - 2082844800) accessdate = strftime("%m-%d-%Y %H:%M:%S", epochtime) except: print "Cannot open file: " + MRUFile try: print "Microsoft Word MRUs: (Use --blob_parse_human or --blob_parse_raw for file paths in BLOBs.)" try: for n,item in enumerate(plist["14\File MRU\MSWD"]): raw_accessdate = item["Access Date"] FunkyMSTime(raw_accessdate) print " [Item Number: " + str(n) + "] - Access Date (UTC): " + accessdate + "" blob = item["File Alias"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print " No key for 14\File MRU\MSWD" except: pass try: print "Microsoft Excel MRUs: (Use --blob_parse_human or --blob_parse_raw for file paths in BLOBs.)" try: for n,item in enumerate(plist["14\File MRU\XCEL"]): raw_accessdate = item["Access Date"] FunkyMSTime(raw_accessdate) print " [Item Number: " + str(n) + "] - Access Date (UTC): " + accessdate + "" blob = item["File Alias"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print " No key for 14\File MRU\XCEL" except: pass try: print "Microsoft Powerpoint MRUs: (Use --blob_parse_human or --blob_parse_raw for file paths in BLOBs.)" try: for n,item in enumerate(plist["14\File MRU\PPT3"]): raw_accessdate = item["Access Date"] FunkyMSTime(raw_accessdate) print " [Item Number: " + str(n) + "] - Access Date (UTC): " + accessdate + "" blob = item["File Alias"] BLOBParser_raw(blob) BLOBParser_human(blob) BLOB_hex(blob) except: print " No key for 14\File MRU\PPT3" except: pass
def deserialize_plist(path_or_file): ''' Returns a deserialized plist as a dictionary/list. Parameters ---------- path_or_file: Path or file-like object of an NSKeyedArchive file Returns ------- A dictionary or list is returned depending on contents of the plist Exceptions ---------- nska_deserialize.DeserializeError, biplist.NotBinaryPlistException, ccl_bplist.BplistError, ValueError, TypeError, OSError, OverflowError ''' path = '' f = None if isinstance(path_or_file, str): path = path_or_file f = open(path, 'rb') else: # its a file f = path_or_file f = _get_valid_nska_plist(f) ccl_bplist.set_object_converter( ccl_bplist.NSKeyedArchiver_common_objects_convertor) plist = ccl_bplist.load(f) ns_keyed_archiver_obj = ccl_bplist.deserialise_NsKeyedArchiver( plist, parse_whole_structure=True) root_names = _get_root_element_names(f) top_level = [] for root_name in root_names: root = ns_keyed_archiver_obj[root_name] if isinstance(root, dict): plist = {} _recurse_create_plist(plist, root, ns_keyed_archiver_obj.object_table) if root_name.lower() != 'root': plist = {root_name: plist} elif isinstance(root, list): plist = [] _recurse_create_plist(plist, root, ns_keyed_archiver_obj.object_table) if root_name.lower() != 'root': plist = {root_name: plist} else: plist = {root_name: root} if len(root_names) == 1: top_level = plist else: # > 1 top_level.append(plist) return top_level
print('\t\tType : {}'.format(record.type)) print('\t\tFlag : {}'.format(record.flag)) print('\t\tOffset: {}'.format(record.offset)) print('\t===== End of ToC =====') parser = argparse.ArgumentParser( description='Parse bookmark data within plists') parser.add_argument('plist_path', metavar='plist', type=str, nargs=1, help='specify path to plist file') args = parser.parse_args() raw_data = None with open(args.plist_path[0], 'rb') as plist: try: pl = plistlib.load(plist) except ValueError: pl = ccl_bplist.load(plist) try: for item in pl["RecentDocuments"]["CustomListItems"]: raw_data = item['Bookmark'] # _debug() parse() print('====================') except KeyError: pass
def read_bplist(file_location): with open(file_location, 'rb') as fd: plist_array = bplist.load(fd) return [plist_array]
def read_stream_bplist(string): w = buffer(string) plist_array = bplist.load(io.BytesIO(w)) return plist_array