Repository files navigation

Deserializes NSKeyedArchiver created plists, which are frequent in macOS/iOS. These are serialized versions of plists (or data classes) and are meant for machine reading. The deserialized version is human readable for analysts and investigators who need to review the data.

The library recursively deserializes the entire plist and returns a dictionary/list object representing the entire plist. Certain NSKeyedArchiver plists contain circular references, which results in infinite looping. The code detects and breaks these loops wherever found to return useable data.

Due to improvements in the built-inplistlib library in Python 3.8, it is recommended to use 3.8 or above. For 3.7 or lower, it should work fine for most plists, some might fail to save correctly. If you don't care about saving the deserialized plist (using the built-in library functions), then this should make no difference.

pip3 install nska_deserialize

Use the functionsdeserialize_plist ordeserialize_plist_from_string to convert NSKeyedArchives (NSKA).

By defaultfull_recurse_convert_nska=False maintaining old behaviour which is to throw an exception if the archive is not NSKA, and no recursive processing for nested NSKA data blobs. If set toTrue, then it will process any plist even if not an NSKA (at root level).

By defaultformat=list maintains old behaviour providing a list as the top level of the plist. Ifformat=dict is used, this switches to a dictionary.

importnska_deserializeasndinput_path='/Users/yogesh/Desktop/sample.sfl2'withopen(input_path,'rb')asf:try:deserialized_plist=nd.deserialize_plist(f,full_recurse_convert_nska=True,format=dict)print(deserialized_plist)except (nd.DeserializeError,nd.biplist.NotBinaryPlistException,nd.biplist.InvalidPlistException,nd.plistlib.InvalidFileException,nd.ccl_bplist.BplistError,ValueError,TypeError,OSError,OverflowError)asex:# These are all possible errors from libraries importedprint('Had exception: '+str(ex))deserialized_plist=Noneifdeserialized_plist:output_path_plist=input_path+'_deserialized.plist'output_path_json=input_path+'_deserialized.json'nd.write_plist_to_json_file(deserialized_plist,output_path_json)nd.write_plist_to_file(deserialized_plist,output_path_plist)

importnska_deserializeasndplist_in_string=b"{notional plist as string that might have come from a database}"try:deserialized_plist=nd.deserialize_plist_from_string(plist_in_string,full_recurse_convert_nska=True,format=dict)print(deserialized_plist)except (nd.DeserializeError,nd.biplist.NotBinaryPlistException,nd.biplist.InvalidPlistException,nd.plistlib.InvalidFileException,nd.ccl_bplist.BplistError,ValueError,TypeError,OSError,OverflowError)asex:# These are all possible errors from libraries importedprint('Had exception: '+str(ex))deserialized_plist=Noneifdeserialized_plist:output_path_plist=input_path+'_deserialized.plist'output_path_json=input_path+'_deserialized.json'nd.write_plist_to_json_file(deserialized_plist,output_path_json)nd.write_plist_to_file(deserialized_plist,output_path_plist)

v1.5.1
Minor bug fix - Empty NSKeyedArchive will not raise an exception if it is valid.

v1.5.0
Minor bug fix - If root level element was NULL, this would create an invalid plist as None/NULL values are not allowed in plists. This now converts it to a blank string.
New optionformat=dict will return a dictionary at the top level of a plist instead of the default list format (Thanks @cvandeplas - Christophe Vandeplas).

v1.4.0
New boolean optionfull_recurse_convert_nska for full recursion of plist and conversion of all nested NSKeyedArchive data.

v1.3.3
Fixes an issue with CF$UID conversion, this was not being applied to all plists resulting in empty output for certain plists.
Python 3.12 compatible and tested.

v1.3.2
Adds NSUUID type to ccl_bplist, which should remove at least some exceptions related tounhashable type: 'NsKeyedArchiverDictionary'.

v1.3.1
Python 3.9 compatible (earlier versions of library may have problems with XML plists on python 3.9).

v1.2
Support for macOS Big Sur plists, some have hexadecimal integers in XML, which caused problems with underlying plist parsers.