Added MacOS login items/background items plugins

[Spferical]

One line description of pull request

Adds parsers for MacOS login items/background items.

Description:

This PR covers:

• login items (autostart applications)
• login window (autostart applications and login/logout hook scripts)
• startup items (pre-launchd service mechanism)

Notes:

All contributions to Plaso undergo code review.
This makes sure that the code has appropriate test coverage and conforms to the
Plaso style guide.

One of the maintainers will examine your code, and may request changes. Check off the items below in
order, and then a maintainer will review your code.

Checklist:

• Automated checks (GitHub Actions, AppVeyor) pass
• No new new dependencies are required or l2tdevtools has been updated
• Reviewer assigned

[joachimmetz]

Thanks for the suggested changes, I'll take a closer look later this week.

[joachimmetz]

Seeing you use a new dependency plistutils also see https://github.com/log2timeline/l2tdocs/blob/main/process/Dependencies.md

[joachimmetz]

FYI I rebased with HEAD and did a force push to make sure tests don't fail

[joachimmetz]

@Spferical I'll make some changes and leave some comment on the review. Unless explicitly tagged by name consider these informational.

[joachimmetz]

Note that on Mac OS 10.7 and 10.8 the com.apple.loginitems.plist file is slightly different, e.g.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>SessionItems</key>
	<dict>
		<key>CustomListItems</key>
		<array>
			<dict>
				<key>Icon</key>
				<data>
				...
				</data>
				<key>CustomItemProperties</key>
				<dict>
					<key>com.apple.loginitem.legacyprefs</key>
					<dict>
						<key>AliasData</key>
						<data>
						...
						</data>
						<key>Path</key>
						<string>/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app</string>
						<key>Hide</key>
						<false/>
					</dict>
					<key>com.apple.LSSharedFileList.ItemIsHidden</key>
					<true/>
				</dict>
				<key>Name</key>
				<string>iTunesHelper</string>
				<key>Flags</key>
				<integer>1</integer>
				<key>Alias</key>
				<data>
				...
				</data>
			</dict>
		</array>
		<key>Controller</key>
		<string>CustomListItems</string>
	</dict>
</dict>
</plist>

Although Alias and AliasData seem to contain the same data

[joachimmetz]

The com.apple.loginitems.plist file on Mac OS 10.9 and macOS 10.12, not observed on 10.10 and 10.11

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>SessionItems</key>
	<dict>
		<key>CustomListItems</key>
		<array>
			<dict>
				<key>CustomItemProperties</key>
				<dict>
					<key>com.apple.LSSharedFileList.Binding</key>
					<data>
					...
					</data>
					<key>com.apple.LSSharedFileList.ItemIsHidden</key>
					<true/>
				</dict>
				<key>Name</key>
				<string>iTunesHelper</string>
				<key>Flags</key>
				<integer>1</integer>
				<key>Alias</key>
				<data>
				...
				</data>
			</dict>
		</array>
		<key>Controller</key>
		<string>CustomListItems</string>
	</dict>
</dict>
</plist>

[joachimmetz]

I took the sample data from older macos versions from various public places:

@Spferical we need to make sure they can be used given their original license

com.apple.loginitems.plist from https://objective-see.org/blog/blog_0x31.html

Looks like this is copyrighted, you need to get permission to redistribute. However given that I have samples from 10.7 - 10.9 I'll use these instead. I've replaced this file with one that can be redistributed under the Plaso license

[joachimmetz]

BackgroundItems-v4.btm from https://github.com/puffyCid/macos-loginitems/blob/main/tests/test_data/BackgroundItems-v4.btm
backgrounditems.btm from https://github.com/puffyCid/macos-loginitems/blob/main/tests/test_data/backgrounditems_sierra.btm

These appear to be MIT licensed, this needs to be explicitly called out. I'll see if I can find replacements first that can be redistributed under the Plaso license

Found a backgrounditems.btm from High Sierra

[joachimmetz]

Removed the need for plistutils as a new dependency

[codecov]

Codecov Report

Attention: 37 lines in your changes are missing coverage. Please review.

Comparison is base (8fa6ceb) 85.84% compared to head (bc25920) 85.94%.

Files	Patch %	Lines
...so/parsers/plist_plugins/macos_background_items.py	74.62%	34 Missing ⚠️
plaso/parsers/plist_plugins/macos_login_items.py	96.05%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4790      +/-   ##
==========================================
+ Coverage   85.84%   85.94%   +0.10%     
==========================================
  Files         419      421       +2     
  Lines       37985    38195     +210     
==========================================
+ Hits        32608    32827     +219     
+ Misses       5377     5368       -9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[joachimmetz]

Schema of a decoded version 2 plist

{
  "version": 2,
  "backgroundItems": {
    "allContainers": [
      {
        "bookmark": null,
        "identifier": "f7b01543-dda4-4090-bdd8-cd8c0cd044bd",
        "internalItems": {
          "bookmark": {
            "data":  ...,
            "identifier": "8c98acca-8339-4610-970c-339bce246bc7"
          },
          "loginItemType": 1,
          "type": 3
        }
      }
    ]
  }
}

Schema of a decoded version 4 plist

{
  "version": 4,
  "store": {
    "itemsByUserIdentifier": {
      "FFFFEEEE-DDDD-CCCC-BBBB-AAAA000000F8": [
        {
          "associatedBundleIdentifiers": null,
          "bookmark": null,
          "bundleIdentifier": null,
          "container": null,
          "developerName": null,
          "disposition": 10,
          "executablePath": null,
          "generation": 1,
          "identifier": "Unknown Developer",
          "items": [],
          "name": null,
          "teamIdentifier": null,
          "type": 32,
          "url": null,
          "uuid": "ddea7b23-c45e-4f78-9936-9c12ddc05533"
        }
      ],
      ...
    "userSettingsByUserIdentifier": {
      "FFFFEEEE-DDDD-CCCC-BBBB-AAAA000000F8": {
        "generation": 1,
        "serviceManagementLoginItemsMigrated": true
      },
      ...
    }
  }

Schema of a decoded version 8 plist

{
  "version": 8,
  "store": {
    "itemsByUserIdentifier": {
      "26CC4DB0-3A46-494F-802E-95C2DDF619D5": [
        {
          "uuid": "80d2dffa-65c8-4880-ad3b-43b3f109f463",
          "teamIdentifier": null,
          "lightweightRequirement": null,
          "disposition": 10,
          "generation": 19,
          "associatedBundleIdentifiers": null,
          "url": null,
          "bundleIdentifier": null,
          "type": 32,
          "identifier": "Parallels International GmbH",
          "executablePath": null,
          "container": null,
          "developerName": "Parallels International GmbH",
          "items": [
            "com.parallels.TimeSync"
          ],
          "name": "Parallels International GmbH",
          "bookmark": null
        },
        ...
      ]
    },
    "mdmPaloadsByIdentifier": {},
    "userSettingsByUserIdentifier": {
      "26CC4DB0-3A46-494F-802E-95C2DDF619D5": {
        "generation": 1,
        "serviceManagementLoginItemsMigrated": true
      },
      ...
      }
    }
  }

Note that the typo in mdmPaloadsByIdentifier is from the source

Some sources mention a BackgroundItems-v3.btm and BackgroundItems-v7.btm as well

[joachimmetz]

Experimental test decode script can be found here https://github.com/libyal/dtformats/blob/main/scripts/decode_nskeyedarchiver_plist.py in case you have other samples.

[joachimmetz]

StartupParameters.plist is copyrighted but it looks like a Plaso specific one can be easily created. I'll do that in an upcoming push.

[joachimmetz]

Given loginwindow.plist was significantly modified, and not a close resembling copy of the original, it should be fine.

[joachimmetz]

Some documentation regarding the loginwindow.plist files

• https://developer.apple.com/documentation/devicemanagement/loginwindow
• https://developer.apple.com/documentation/devicemanagement/loginwindowscripts

[Spferical]

Do you also know if BackgroundItems-v4.btm is an XML export of a binary plist? Given a BackgroundItems-v8.btm I encountered is a binary plist

To my knowledge, they're all binary unless a user manually converts them in-place.

[joachimmetz]

Found a v7, schema has been documented in https://github.com/libyal/dtformats/blob/main/documentation/Mac%20OS%20background%20item%20bookmark%20data%20format.asciidoc

v3 might have been used in macOS 13 pre-release

[joachimmetz]

Running some tests to make the NSKeyedArchiver decoder more reliable https://github.com/libyal/plist-kb/blob/main/plistrc/decoders.py

[joachimmetz]

LGTM