NSKeyedArchiver

Hi,

Firstly, I should apologise for not being clear previously The ccl_bplist Python module is intended to be used inside your own scripts - it deals with the reading of the structure, but the actual presentation of the data would have to be written at your end. If you're not familiar with Python then this is probably not going to be a lot of use to you (although I can heartily recommend learning a scripting language such as Python - I find it an incredibly useful tool to have in your arsenal - please excuse the mixed-metaphor!). If you have someone you can call on to assist with a script I'd be happy to offer guidance in the use of the module though.

Otherwise, there are plenty of tools which will view a Property List file, but there's only tool which I know of which will automate the unpacking of the NSKeyedArchiver structure (which I explain here http//digitalinvestigation.wordpress.com/2012/04/04/geek-post-nskeyedarchiver-files-what-are-they-and-how-can-i-use-them/ ) and that's PIP (http//www.cclgroupltd.com/Buy-Software/pip-xml-and-plist-parsing-tool.html). I happen to know (because I wrote it) that PIP doesn't currently have a parser specifically for the Steam application, but if you were able to share some test data with me I should be able to knock one up pretty quickly - otherwise I can put some test data together myself, but that might take a little longer.

Let me know if I can assist further.

AlexC I can't figure out how to decode the NS.time values. It's a 9 digit number, thus it won't work as a unix or Mac timestamp. What is it? I've been trying to google around, but to no avail.

AlexC I can't figure out how to decode the NS.time values. It's a 9 digit number, thus it won't work as a unix or Mac timestamp. What is it? I've been trying to google around, but to no avail.

Won't it be *like* these ones, by chance?
http//www.forensicfocus.com/Forums/viewtopic/t=10857/

(leading/trailing bytes needing to be excluded) ?

jaclaz

I wish that were the solution.

An example of one is 393854400.

I think I've found the answer thanks to a PM from AlexC and looking at this https://developer.apple.com/library/mac/documentation/Cocoa/Reference/Foundation/Classes/NSDate_Class/Reference/Reference.html#//apple_ref/occ/cl/NSDate

Looks like it represents the amount of seconds since 1 January 2001, GMT.

Now I'm on the prowl for a converter tool. If anyone has any suggestions of what they use I'd greatly appreciate it.

Looks like it represents the amount of seconds since 1 January 2001, GMT.

Now I'm on the prowl for a converter tool. If anyone has any suggestions of what they use I'd greatly appreciate it.

What do you mean a converter tool?
Something like #5 here?
http//cyberjerry.net/dogpatch/seccalc.php

jaclaz

I'm pretty sure DCode from DigitalDetective will do this format, but for fun here are some alternatives

Python


import datetime
datetime.datetime(2001, 1, 1) + datetime.timedelta(seconds=393854400)

Excel
=DATE(2001,1,1) + (393854400/60/60/24)(The division there is because Excel thinks of time as a fraction of a day, so we're converting our seconds value into a fractions of days.)

Yes, DCode also does the job nicely. http//www.digital-detective.co.uk/freetools/decode.asp

Thanks for all the help and tips everybody!