Posts tagged forensic

Forensic Bookmark.plist from Safari

0
556 jours
by in mac, OS, Security

I was reading some documents on Mac Os X forensic, and I was searching
how to get back the Bookmark.plist from safari to parse it and read it easily …

I knew that this file is located in the following folder :

~Library/Safary/Bookmarks.plist

I was thinking that plist files where always XML documents and tried with python to read the file, I opened python and typed the following commands.

>>>  import plistlib
>>> plist.readPlist('Bookmarks.plist)

Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/plistlib.py", line 78, in readPlist
rootObject = p.parse(pathOrFile)
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/plistlib.py", line 405, in parse
parser.ParseFile(fileobj)
xml.parsers.expat.ExpatError: not well-formed (invalid token): line 1, column 9

Yeah ! Error …

I got back to my shell and tried to read it with

$ cat Bookmarsk.plist

[...] it was not an XML output at all !

I directly decide to go to  developer.apple.com/ , to find the plist use, and find out that some plist files are in

BINARY FORMAT PROPERTY LISTS

WTF ??

hopefully the command was given to translate it to XML

plutil -convert xml1 -o - Bookmarks.plist

I tried it, and it gave me a cool XML format.

I could then put the output of this command in an XML file and use it.

Hidden password in an extended attribute

2
568 jours
by in Linux, mac, OS, Security

Today I was playing with some forensic challenges and I got surprised by
one of them. It was going like this : « A password is hidden … but where »

The file was an image, and my first idea was to try some steganography tools,
but after one little hour, some researches … I began to be very bored, and
asked my friend Google about hidden data on OS X.

After a few minutes I found the answer xattr
the EXTENDED ATTRIBUTES … they are kind of similar to the alternate
data stream in Windows.

It’s why I decided to explain you how it was working :

  • Open a shell and enter into Python
>>> xattr.listxattr("test.png")
(u'com.apple.metadata:kMDItemWhereFroms', u'user.comment')
>>>

as you may see … there are some attributes, and one of them is « user.comment », after
some researches on the internet ( 1 min ) I discovered how to print it out :

>>> xattr.getxattr("test.png", "user.comment")
'Password: XnHjst6&'
>>>

And the challenge was finished ! It was the first time I saw the extended attributes … and I found it very interesting.

have fun

Get Adobe Flash playerPlugin by wpburn.com wordpress themes
Go to Top