Property Lists are files that store important data/metadata about a user and its device. They are found in iOS/MacOS and are important in the scope of DFIR investigations.
Property lists are files that can be found virtually everywhere on Apple Operating Systems. They are often stored in a compressed form, as “Binary Property Lists” (with a binary header of 0x6270).
These files contain information related to a specific application or utility within the OS. For instance, the file “com.apple.identityservices.idstatuscache.plist” located in private/var/mobile/Library/Preferences keeps records of (essentially) the first time you saved a contact on your iPhone (for more info check this out).
-
Hex Viewer -
Property List Editor -
Text Editor
To make this a readable format, I use the “plutil -convert xml1 com.apple.identityservices.idstatuscache.plist” command in the Terminal, and I get the same file in an XML format:
As you can see, the LookupDate timestamp is stored as a “real” data type. In other Property Lists, they may be stored as “date” or “integer” data types.
Timestamps Format
-
“<real>” : CFAbsolute time (Apple Core Foundation Absolute Time) – aka number of seconds since 2001.01.01 00:00:00 UTC; but can also be stored as Unix Epoch time.
-
“<integer>” : Unix Epoch time, number of seconds since 1970.01.01 00:00:00 UTC.
-
“<date>”: are stored as “yyyy-mm-ddthh-mm-ssz”.
I’m assuming that timestamps stored in the “date” data type, are expressed in local time; whilst timestamps in the “real” and “integer” type are expressed in GMT. However, I have not found steady proof of this yet.
Extracting Timestamps
To make my research easier, I wrote a small script that parses Property Lists timestamps into an SQLite database. Obviously, it’s far from perfect – I’m a complete noob! The end result is something like this:
It goes through a given directory, copies all files with a “.plist” extension, whilst keeping the original directory structure; and converts them to readable XML format. Then, all occurrences of “real”, “date” and “integer” (if they meet certain requirements) are copied, cleaned and formatted into cvs-like text files. These text files are uploaded to an SQLite database and the timestamps are converted according to their format.
Please let me know if you have criticism or tips to improve!
TLDR
– Property Lists are files that store serialized objects.
– In Digital Forensics, these files can contain important data about the device and its usage.
