Collaborate Disseminate
Just a quick script update!New with 10.13 High Sierra are the newer format *.sfl2 Mac MRU files. The format changes slightly from the older *.sfl files found in 10.11 and 10.12. It also uses the analyst infuriating NSKeyedArchiver format. An example of… Continue reading Script Update – Mac MRU Parser v1.3 – New 10.13 *.sfl2 MRU Files
Get the script here!Added in Spotlight ShortcutsI’ve updated my macMRU.py script to parse the Spotlight Shortcuts plist file that I consider to be very MRU-like. This plist file contains what the user typed into the Spotlight search window, what they c… Continue reading Script Update – Mac MRU Parser – Spotlight Shortcuts & BLOB Parsing!
Yep, you read that right – Mac Location Scraper! I’ve updated my ‘iOS Location Scraper’ script to be compatible with the same location database found on iOS – the cache_encryptedA.db (and lockCache_encryptedA.db) that are now found on macOS at lea… Continue reading Script Update – Mac (& iOS) Location Scraper (macOS and iOS 10 Updates)
Managing Azure Active Directory using PowerShell is a pretty common technique for Office 365 administrators to master. Many scripts to automate administrative processes have been written to leverage the -Msol* cmdlets included in version one of the Azure Active Directory PowerShell module. Version 2 of the module is now generally available, which is good, but be careful because scripts need to be updated before you can use the new module.
The post Version 2 of the Azure Active Directory PowerShell Module is Generally Available – But be Careful appeared first on Petri.
I’ve updated my MacMRU parser script, located here: https://github.com/mac4n6/macMRU-Parser.This update includes support for ‘Most Recently Used’ artifacts for Microsoft Office for Mac 2011 and 2016. I’ve also added a bit more error checking, so p… Continue reading Update to MacMRU Parser – Now with Microsoft Office Support!
I’ve updated my MacMRU parser script, located here: https://github.com/mac4n6/macMRU-Parser.This update includes support for ‘Most Recently Used’ artifacts for Microsoft Office for Mac 2011 and 2016. I’ve also added a bit more error checking, so p… Continue reading Update to MacMRU Parser – Now with Microsoft Office Support!
I have been studying the new SFL-based MRU plist files found in OS X 10.11. They make analysis hard because they are binary plist files using the NSKeyedArchiver format – see here for my manual analysis of these files. I’ve also included the ‘older’ format plist files used in OS X 10.10 and older.
In order to analyze them better (and student requests) I wrote a Python script to output the contents of these files in an easier to read format. Nothing fancy, just text printed to standard output.
Get the script here from my Github page. I hope you find the script useful!
The script is meant to be run on a directory; this can be a directory of extracted plist files from an image, a directory on your own system (ie: ~/Library), or from a mounted image (ie: /Volumes/mounted_image_file/Users/<username>/), you get the idea.
This script parses the following plist files:
The script usage is below. The only required argument is the directory, but the output can include binary BLOB hex dump of the Bookmark data (–blob). Most of the Mac MRUs contain a binary Bookmark BLOB of data that can be useful to determine where a certain file was located or where an application was run from. I’ve included it as an option as it can get very, very verbose.
The script also has two dependencies, hexdump.py and ccl_bplist.py. These files can be installed or just simply placed in the same directory you are running the macMRU.py script from. (Installation on OS X 10.11 systems are limited thanks to SIP.)
A few screenshots of example script output:
This example shows the output without the BLOB data of the newer SFL-based MRU files:
This example shows the same output with a sample of the hexdump BLOB data, you can see where this can get quite verbose.
The last example shows the ‘older’ MRU plist files found on 10.10 and older systems. (The com.apple.finder.plist files is the same on 10.11.)
I have been studying the new SFL-based MRU plist files found in OS X 10.11. They make analysis hard because they are binary plist files using the NSKeyedArchiver format – see here for my manual analysis of these files. I’ve also included the ‘older’ format plist files used in OS X 10.10 and older.
In order to analyze them better (and student requests) I wrote a Python script to output the contents of these files in an easier to read format. Nothing fancy, just text printed to standard output.
Get the script here from my Github page. I hope you find the script useful!
The script is meant to be run on a directory; this can be a directory of extracted plist files from an image, a directory on your own system (ie: ~/Library), or from a mounted image (ie: /Volumes/mounted_image_file/Users/<username>/), you get the idea.
This script parses the following plist files:
The script usage is below. The only required argument is the directory, but the output can include binary BLOB hex dump of the Bookmark data (–blob). Most of the Mac MRUs contain a binary Bookmark BLOB of data that can be useful to determine where a certain file was located or where an application was run from. I’ve included it as an option as it can get very, very verbose.
The script also has two dependencies, hexdump.py and ccl_bplist.py. These files can be installed or just simply placed in the same directory you are running the macMRU.py script from. (Installation on OS X 10.11 systems are limited thanks to SIP.)
A few screenshots of example script output:
This example shows the output without the BLOB data of the newer SFL-based MRU files:
This example shows the same output with a sample of the hexdump BLOB data, you can see where this can get quite verbose.
The last example shows the ‘older’ MRU plist files found on 10.10 and older systems. (The com.apple.finder.plist files is the same on 10.11.)
After people complained that News Genius could be a vector for harassment, Vijith Assar wrote a tool that would block it. Continue reading There’s Now a Script to Block Genius from Annotating Your Website
I have added some output options to the script – CSV and KML.
See a related post here – “Parsing iOS Frequent Locations”
The script can now be called with a ‘-output’ argument with the following options:
Note: The verbose script output is still available from standard output.
python dump_freq_locs.py –output e <StateModel#.plist>
Updated script (v1.1) is available in GitHub
Example of the CSV output in Excel
Example of the KML output in Google Earth
Example of the KML output in Google ‘My Maps’
Continue reading Script Update: Dump iOS Frequent Locations – Now with KML & CSV Output!
