Script Update - Mac MRU Parser v1.5 - Added Volume Analysis Support and Other Stuff!

December 11, 2017 in analysis, scripts, update, osx, iOS

Get the script here!

Added volume analysis support for the following plists. These are not really MRUs but it could be damn useful to gather this info.

Sidebar List plist [10.12-] - /Users/<username>/Library/Preferences/com.apple.sidebarlists.plist
Favorite Volumes SFL2 - [10.13+] /Users/<username>/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.FavoriteVolumes.sfl2
Finder Plist - /Users/<username>/Library/Preferences/com.apple.finder.plist
- I was parsing FXRecentFolders Key, I've added FXDesktopVolumePositions Key
- FXDesktopVolumePositions has a volume creation timestamp embedded into the "file" name for the volume (highlight in yellow below). This has been extracted and converted to human readable time (highlight in orange below).

Thanks to @4n68r for pointing out broke stuff (and for using the script!)

The ICNS Icon export function was also fixed.
Fixed support for some *.sfl2 files that were cranky and had no names.
Documentation/Spelling

Script Update - Mac MRU Parser v1.3 - New 10.13 *.sfl2 MRU Files

October 17, 2017 in scripts, update, analysis

Just a quick script update!

New with 10.13 High Sierra are the newer format *.sfl2 Mac MRU files. The format changes slightly from the older *.sfl files found in 10.11 and 10.12. It also uses the analyst infuriating NSKeyedArchiver format. An example of the Recent Applications MRU can be seen below.

The updated script can be found here.

Script Update - Mac MRU Parser - Spotlight Shortcuts & BLOB Parsing!

July 20, 2017 in analysis, scripts, update, osx

Get the script here!

Added in Spotlight Shortcuts

I've updated my macMRU.py script to parse the Spotlight Shortcuts plist file that I consider to be very MRU-like. This plist file contains what the user typed into the Spotlight search window, what they clicked on, and when this all occurred. You can find artifacts of application usage, documents, emails, photos, etc.

Bookmark and Alias BLOB Parsing

The second part of the update (and probably the most requested!) was to add in arguments to allow the analyst to see the parse out the Bookmark and Alias BLOB data. Previously the script only had an option to show the BLOB hexdump. Using mac_alias [download here], the script can now parse these BLOBs. This comes with a caveat, this script relies on the documented structures by others (with a few minor changes by my own research). These have not been officially documented by Apple therefore YMMV. Many of us are still researching these, hopefully this script will help the process! This update provides three new arguments:

--blob_hex = This is the same as what --blob was before. Just a hexdump of the BLOB data.
--blob_parse_raw = This shows the raw output from mac_alias, not exactly the easiest to read but good for debugging.
--blob_parse_human = This shows the pieces of the BLOBs in a (mostly) human-friendly (example below).

I want to say thank you to a few folks that allowed these additions to be made:

Alastair Houghton & Wim Lewis - For mac_alias and the reversing the Alias/Bookmark structures. I took a shot at it years ago and gave up, really appreciate someone else's effort!
Phill Moore of thisweekin4n6.com - You'll notice some support for legacy keys in the com.apple.recentitems.plist have also been added in this update thanks to Phil and his oddly old MRUs files! :) I also appreciate his testing of this tool on Windows also. (Sorry Phil, didn't get a chance to test it on Windows yet!)
Shout out to Patrick Olsen for his work on Alias V3 structures. Unfortunately I did not get to use his research - turns out V3 Alias BLOBs do not get used in any of the MRUs that I'm parsing in this script (they are all V2)! Maybe in the future!

Script Update - Mac (& iOS) Location Scraper (macOS and iOS 10 Updates)

July 05, 2017 in analysis, scripts, update

Yep, you read that right - Mac Location Scraper! I've updated my 'iOS Location Scraper' script to be compatible with the same location database found on iOS - the cache_encryptedA.db (and lockCache_encryptedA.db) that are now found on macOS at least as far back as 10.8.

On macOS these databases hold similar Wi-Fi location data. I have found these databases to be located in the /var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C/ directory. It appears to store about last seven days worth of Wi-Fi related data.

I have also updated the script to support the newer 'routined' CoreRoutine.sqlite database on iOS 10. This database does tend to get stored with a *.shm/*.wal database files so I would recommend pulling off all the files and consolidating them into the main database *.sqlite file, otherwise all the data will not be extracted.

You can get the script here!

Update to MacMRU Parser - Now with Microsoft Office Support!

August 15, 2016 in analysis, osx, scripts

I've updated my MacMRU parser script, located here: https://github.com/mac4n6/macMRU-Parser.

This update includes support for 'Most Recently Used' artifacts for Microsoft Office for Mac 2011 and 2016. I've also added a bit more error checking, so please let me know if you come across a plist that doesn't work or does not contain certain expected keys. It happens, I've run across a few myself - I can't explain why now, but I hope to look into it further.

While researching for this update I noticed something interesting. Microsoft Office used a binary plist format for the 2011 version of the software, but "downgraded" to an XML-based plist format in the 2016 version. Most of the time I see plists headed in the XML->Binary direction.

Got a MacMRU file that I don't parse? Please let me know!

I hope you find this script useful!