NSKeyedAchiverParser

iped-app/resources/config/conf/CategoriesConfig.json

@@ -69,6 +69,9 @@
 	      ]}
 	    ]}
     ]},
+    {"name": "Apple Artifacts", "categories":[
+        {"name": "Apple Configuration Files", "mimes": ["application/x-bplist"]}
+    ]},
     {"name": "Google Drive", "categories":[
       {"name": "GDrive Synced Files", "mimes": ["application/x-gdrive-cloud-graph", "application/x-gdrive-snapshot"]},
       {"name": "GDrive File Entries", "mimes": ["application/x-gdrive-cloud-graph-registry", "application/x-gdrive-snapshot-registry"]}

iped-app/resources/config/conf/CategoriesToExpand.txt

@@ -19,6 +19,7 @@ OLE files
 Georeferenced Files
 Peer-to-peer
 Chrome Cache
+Apple Configuration Files
 #Event Files
 
 # Generates registry reports:

iped-app/resources/config/conf/MakePreviewConfig.txt

@@ -10,4 +10,5 @@ supportedMimes = application/x-whatsapp-db; application/x-whatsapp-db-f; applica
 supportedMimes = application/x-prefetch; text/x-vcard; application/x-emule-preferences-dat; application/vnd.android.package-archive; application/x-bittorrent-settings-dat
 
 # List of mimetypes which parsers insert links to other case items into preview
-supportedMimesWithLinks = application/x-emule; application/x-emule-part-met; application/x-ares-galaxy; application/x-shareaza-library-dat; application/x-shareaza-download; application/x-bittorrent-resume-dat; application/x-bittorrent-resume-dat-entry; application/x-bittorrent
+supportedMimesWithLinks = application/x-emule; application/x-emule-part-met; application/x-ares-galaxy; application/x-shareaza-library-dat; application/x-shareaza-download; application/x-bittorrent-resume-dat; application/x-bittorrent-resume-dat-entry; application/x-bittorrent
+supportedMimesWithLinks = application/x-bplist; application/x-apple-nskeyedarchiver; application/x-plist; application/x-bplist-webarchive; application/x-plist-webarchive; application/x-plist-memgraph; application/x-bplist-memgraph; application/x-bplist-itunes; application/x-plist-itunes

iped-app/resources/config/conf/ParserConfig.xml

@@ -23,7 +23,9 @@
         <parser class="iped.parsers.external.CompositeExternalParser"></parser>
 
         <parser class="org.apache.tika.parser.apple.AppleSingleFileParser"></parser>
-        <parser class="org.apache.tika.parser.apple.PListParser"></parser>
+        <parser class="iped.parsers.plist.parser.PListParser"></parser>
+        <parser class="iped.parsers.plist.parser.NSKeyedArchiverParser"></parser>
+        <!-- <parser class="org.apache.tika.parser.apple.PListParser"></parser> -->
         <parser class="org.apache.tika.parser.asm.ClassParser"></parser>
         <parser class="org.apache.tika.parser.audio.AudioParser"></parser>
         <parser class="org.apache.tika.parser.audio.MidiParser"></parser>

iped-parsers/iped-parsers-impl/src/main/java/iped/parsers/plist/detector/PListDetector.java

@@ -15,6 +15,7 @@
 
 import com.dd.plist.NSDictionary;
 import com.dd.plist.NSObject;
+import com.dd.plist.NSString;
 import com.dd.plist.PropertyListFormatException;
 import com.dd.plist.PropertyListParser;
 
@@ -32,6 +33,7 @@ public class PListDetector implements Detector {
     public static MediaType BITUNES = MediaType.application("x-bplist-itunes");
     public static MediaType WA_USER_PLIST = MediaType.application("x-whatsapp-user-plist");
     public static MediaType THREEMA_USER_PLIST = MediaType.application("x-threema-user-plist");
+    public static MediaType NSKEYEDARCHIVER_PLIST = MediaType.application("x-apple-nskeyedarchiver");
 
     public static MediaType detectOnKeys(Set<String> keySet) {
         if (keySet.contains("nodes") && keySet.contains("edges") && keySet.contains("graphEncodingVersion")) {
@@ -46,9 +48,24 @@ public static MediaType detectOnKeys(Set<String> keySet) {
         } else if (keySet.contains("Threema device ID")) {
             return THREEMA_USER_PLIST;
         }
+
         return BPLIST;
     }
 
+    public static MediaType detectOnNodes(NSDictionary rootObj, Metadata metadata) {
+        NSObject archiver = rootObj.get("$archiver");
+        if (archiver != null) {
+            if (archiver instanceof NSString) {
+                if (archiver.toString().toLowerCase().equals("nskeyedarchiver")) {
+                    return NSKEYEDARCHIVER_PLIST;
+                }
+            }
+        }
+
+        return detectOnKeys(rootObj.getHashMap().keySet());
+
+    }
+
     /**
      * @param input
      *            input stream must support reset
@@ -101,7 +118,7 @@ public MediaType detect(InputStream input, Metadata metadata) throws IOException
         }
 
         if (rootObj instanceof NSDictionary) {
-            return detectOnKeys(((NSDictionary) rootObj).getHashMap().keySet());
+            return detectOnNodes((NSDictionary) rootObj, metadata);
         }
         return BPLIST;
     }