You probably know that XML is a common format for storing data. It’s found on a wide range of devices and platforms, including PCs, smartphones and sat navs. XML is text-based, but not often user-friendly when served raw, as you can see:
Because of its non-user-friendly nature, analysts or investigators often have to manually manipulate large amounts of data in order to understand its meaning and structure.
There’s a similar situation with Apple’s property list (plist) files, which can be stored in XML or binary format. Either way, they’re not terribly easy to use.
So – what makes it easier for analysts?
XPath is a query language designed for getting data out of XML files in a structured way and we’ve developed a piece of software called PIPwhich takes advantage of this in order to simplify the presentation of the often-complex data stored in the files.
The power to create XPath queries was placed right at the centre of PIP so that if you come up against unfamiliar data PIP empowers you to write a query which you can then reuse. However, being analysts ourselves, we have already encountered a number of situations where we have used PIP and as such, PIP comes preloaded with a substantial library of XPath queries for many common files.
PIP doesn’t just make raw data easier to read, though; it saves a considerable amount of time for analysts. PIP can be used to parse individual files; however where it really comes into its own and saves significant amounts of time is where it allows you to process many files at once.
For example: PIP processed 263 Facebook application files from an iPhone image in four seconds, returning 1,800 records (including profile views, chat history, photo views with comments, and URLs).
The say a (moving) picture is worth a thousand words – so take a look at our video and see what PIP can do for you.