Deserializing NSKey Archives

Written By Sarah Hayes

Serialization holds a crucial role in software development, particularly within the macOS/iOS environment, where NSKeyedArchiver is widely employed to convert Property Lists (PLists) (or data classes) into machine-readable formats. These serialized PLists fulfill diverse roles, such as facilitating data transmission and storage. Yet, for analytical and investigative purposes, the necessity for human-readable data becomes paramount. Employing tools like Yogesh Khatri's, PList Deserializer, enables the transformation of PLists into a format easily readable by humans. The Deseralizer.py script converts, “NSKeyedArchive binary plists into normal plists.” [1]

What does the PList Deserializer do?

  • Efficiently converting PLists, ensuring a seamless transition from machine-readable to human-readable formats.

  • Tackling challenges like circular references.

  • The tool is equipped to detect and break loops, ensuring the integrity of the deserialized data.

  • The deserialization process is recursive, capturing the entire PList hierarchy and presenting it in an organized manner.

The application and tools that will be utilized within this blog:

Before Deserialization

First, select a .plist of your choice to examine. Here, I’ve selected “DeliveredNotifications.plist” and will open it up with plist Editor Pro.

This is what a .plist file looks like prior to utilizing a tool such as a deserializer. Notice how the key and some other values have data that really doesn’t make sense to examiner off-hand.

Steps to Deserialize

Step 1: “Extract” MacForensics-master.zip file.

Step 2. “Open” the extracted MacForensics-master.zip file.

Step 3. “Open” MacForensics-master file

Step 4. “Open” the Deserializer folder

Step 5. “Open” the README.md file. This can be opened using programs such as Notepad, Notepad++, or Sublime. Review PListDeserializer usage and determine the proper command for the output you desire.

Step 6. Type “CMD” into the address bar of your File Explorer.

Step 7. In the command prompt that opens up, type the command “Deserializer.exe (insert plist file path) and press “Enter”.

Step 8. Once the tool has completed deserializing, it will return “Done !”

Step 9. Navigate to where the original .plist file is. You’ll see a new file ending with “_deserialized.plist”.

Step 10. “Open” the file with “_deserialized.plist” using plist Editor Pro.

Post-Deserialization

Notice how the data has changed and some of the keys and values now make sense to the examiner.

Conclusion

As you can see from the before and after examples, deserializing data really helps transform the data back into a human-readable format. This in turns, helps the examiner better understand what types of data they could be seeing. I hope this information proves beneficial for deserializing PLists. Should you have any inquiries, please don’t hesitate to reach out to us at hexordia@hexordia.com.

References

[1] Y. Khatri, "GitHub," [Online]. Available: https://github.com/ydkhatri/MacForensics/blob/master/Deserializer/deserializer.py.

Sarah Hayes

Sarah is a digital forensic examiner at Hexordia. She joined the organization after doing research on the Facebook Portal Mini and presenting at the 2021 SANS DFIR Summit. She conducts research of Internet of Things devices and their associated artifacts in the cloud, on device, and related mobile applications.

Previous

Magnet User Summit 2024 Recap
Next

Mobile Forensic Images and Acquisition Priorities