Skip to content

GuyEldad/PlistParser

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
PlistParser.svg
PlistParser.svg
 
 
PlistParser_Linux.7z
PlistParser_Linux.7z
 
 
PlistParser_Windows.7z
PlistParser_Windows.7z
 
 
PlistParser_macOS.7z
PlistParser_macOS.7z
 
 
README.md
README.md
 
 

Repository files navigation

PlistParser Banner

PlistParser

PlistParser is a forensic tool for parsing macOS property list (plist) files in both binary and XML formats. Built for DFIR and designed to work with live macOS systems or offline triage images, it supports flexible export formats and includes a live system scan mode for forensic collection.

Features

  • Parses binary, XML plist formats.
  • Exports results as TXT, JSON, or CSV with auto-detected columns per plist.
  • Live scan mode (--live) - scans common forensically relevant plist locations on a live macOS system, including Preferences, LaunchAgents, LaunchDaemons, and other plist-based artifacts.
  • Supports single file, recursive directory, and live system scanning modes.
  • Handles duplicate filenames across directories - renames and logs automatically.
  • Available as a standalone executable for Windows, Linux, and macOS.

Download

Platform Download
Windows PlistParser_Windows.7z
Linux PlistParser_Linux.7z
macOS PlistParser_macOS.7z

Linux Compatibility

The Linux executable was built for x86_64 glibc-based systems.

Tested on:

  • REMnux
  • Kali Linux

Expected to work on:

  • Debian/Ubuntu/Kali-based systems with glibc 2.31 or newer

Not guaranteed on:

  • Older Linux distributions
  • ARM systems

If the Linux binary does not run, check your glibc version with:

ldd --version

Installation and Usage

Windows

  • Extract the .7z archive.

  • Open Command Prompt or PowerShell in the folder where the executable is located.

  • Run:

    PlistParser.exe --help

Linux

  • Extract the .7z archive: 
    7z x PlistParser_Linux.7z
  • Grant executable permission: 
    chmod +x PlistParser
  • Run: 
    ./PlistParser --help

macOS

  • Extract the .7z archive: 
    7z x PlistParser_macOS.7z
  • Grant executable permission: 
    chmod +x PlistParser
  • Run: 
    ./PlistParser --help

Modes

Single File Mode

Parse a single plist file and print results to the console:

PlistParser Downloads.plist

Parse and export to one or more formats:

PlistParser Downloads.plist --txt
PlistParser Downloads.plist --json
PlistParser Downloads.plist --txt --json --csv

Parse and save to a specific output folder (no console output):

PlistParser.exe Downloads.plist --txt -o C:\results      # Windows
./PlistParser Downloads.plist --txt -o ~/results         # Linux / macOS

Directory Mode

Scan a folder recursively and export all parsed plists:

PlistParser.exe C:\Triage\ --txt                         # Windows
./PlistParser /mnt/triage/ --txt                         # Linux
./PlistParser ~/Library/Preferences/ --txt               # macOS

Output is saved to Desktop\PlistParser_Results\ (Windows) or ~/Desktop/PlistParser_Results/ (macOS/Linux) unless -o is specified.

Live Mode - macOS Only

Scan all forensically relevant plist locations on the live macOS system:

./PlistParser --live --txt
./PlistParser --live --txt --json --csv
./PlistParser --live --txt --json --csv -o ~/Desktop/case01

For full access to system-level plists, run with elevated privileges:

sudo ./PlistParser --live --txt

Flags

Flag Description
--txt Save parsed output as plain text (.parsed.txt)
--json Save parsed output as JSON (.parsed.json)
--csv Save structured CSV with auto-detected columns (.parsed.csv)
--live Scan forensic plist locations on the live macOS system (macOS only)
-o <dir> Custom output directory
-h, --help Show help message

Output

  • TXT - human-readable parsed output, one file per plist.
  • JSON - full structured output preserving all data types.
  • CSV - auto-detects the structure of each plist and creates proper columns. For example, Downloads.plist produces a CSV with one row per download entry and named columns like DownloadEntryURL, DownloadEntryPath, DownloadEntryDateAddedKey, etc.
  • duplicates_log.txt - created when duplicate filenames are found across directories, listing original paths and renamed output files.

Important Notice

Some antivirus software may flag the executable as a false positive. This is due to the way the tool is packaged using Python and PyInstaller, which can sometimes trigger heuristic detections.

If you encounter warnings, consider:

  • Running the tool in a sandbox or isolated environment.
  • Adding an exclusion rule for the executable in your antivirus software.
  • Temporarily disabling your antivirus software.

Contact

For questions or feedback, contact me via https://www.linkedin.com/in/guy-eldad/

Copyright © 2026 Guy Eldad. All rights reserved.

About

A forensic tool for parsing macOS property list (plist) files in binary and XML formats for easy analysis

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors