Introduction

With the release of HstEx v3.6, we added the ability to search for, and recover, Apple Safari binary property lists (PList) from a bitstream. In this article, we will look at using HstEx to recovery binary PList data.

The research behind the recovery engine for this module was developed from a Blade recovery module designed to recover binary PList files:

• Recovering Apple Safari History Binary PList (Property List) Files

HstEx Apple Safari Binary PList Recovery

To search for, and recover, Apple Safari binary PList files, run HstEx and select the following:

1. Select the source you want to search; HstEx supports a wide variety of different source formats.
2. Select the Export Folder where you want HstEx to recovery the files to (Export Folder).
3. Select the recovery module as "History Files (Binary Plist)"; HstEx supports a number of different recovery type options.
4. Clicking OK to save the Recovery Job (as seen in Figure 1).
5. At this point, you can go ahead and process this single job or add further recovery jobs to the queue (as seen in Figure 2).

Figure 1 - HstEx® v4 Recovery Job

Figure 2 - HstEx® v4 with a single job added

File Based Extraction (FBE)

The extraction methodology employed by HstEx in this recovery is File Based Extraction.  Some browser index files are designed in such a way as to make Record Based Extraction (RBE) impossible.  Apple Safari binary PList files use an index which identifies the different elements of the record.  To ensure an accurate recovery, FBE is employed when recovering binary PList files.

HstEx Output Files

When the recovery has completed, if HstEx has recovered (and validated) Apple Safari history binary plist files, they will be written out in the form of HSTX files.  

Figure 3 - HstEx 4 Recovery Output Files

NetAnalysis Import

The last stage of the process is to import the HstEx files into NetAnalysis.  This can be achieved by selecting one of the following methods:

• File » Open History - the user can then select which output files to import
• File » Open All History from Folder - the use selects the root folder containing the output files - NetAnalysis will recursively search through folders and sub-folders looking for supported file types

See NetAnalysis Quick Start for further information.