New version of PIP (XML and plist parser) coming soon

Our ever-popular XML and plist parsing tool, PIP, is coming of age with a new, improved version.

Currently in beta-test, and with the updated version available free to current PIP users (following its official release, obviously!), we’ll be announcing more details over the coming weeks.

As a teaser, this is what you can expect from the new version (v1.1):

  • Improved GUI – the layout of the application has been updated to improve work-flow
  • New Tree View – view your data graphically to see, at-a-glance, the structure of your data
  • Automatic XPath Building – Now you can use the Tree View to show PIP the data that you are interested in and PIP will generate the XPath automatically. This even works with Apple’s Property List ‘dictionary’ structures.
  • Import/Export Batch Jobs – Set-up a batch job of XPaths for a particular folder structure (iOS Library or Application folders for example) and then export the batch so that you, or anyone else in your lab can re-use it when you next come across the same data
  • Command line version – version 1.1 of PIP comes with the “pipcmd” command-line utility, allowing you to integrate PIP into tool chains and other automated tasks
For more information about XML and plist parsing, please visit or email us at

Digital forensic software – grab it while it’s hot!

CCL-Forensics is offering its software at introductory prices for just one more week, so take a look at what’s on offer and squeeze as much into tight budgets as you can.

The tried-and-tested software, developed by analysts, for analysts, has been used extensively in the field by CCL-Forensics’ own investigators and by many other digital investigators from around the world.

From March 31st, prices will be increasing, so take advantage of the lower rates now.

Leading research and development in digital forensics

CCL-Forensics’ research and development team has produced a series of forensic software tools to aid them in digital investigations.

epilog allows investigators to recover deleted data from the widely-used database format, SQLite. Whatever the type of device – computers, mobile phones, SatNavs or others – epilog can be used to recover information, regardless of the type of data stored.

PIP allows analysts to present often-complex data from XML files quickly and efficiently. The tool also parses data from Apple’s property list (plist) files – both in XML and binary format. It can be used to look at computers, mobile phones and SatNavs.

dunk! can uncover potential new web activity evidence from locally-stored web cookies, putting web evidence into context and adding an extra dimension to investigations. It also parses Google Analytics cookies, showing how often, from where, and how a user arrived at a particular site, as well as presenting any search terms used to find the page.

Find out more

For more information about what CCL-Forensics can offer or to purchase the software tools, please visit our website, call us on 01789 261200 or email

Forensic software tools – get ‘em while they’re hot, they’re lovely!

The R&D team at CCL-Forensics are a busy bunch. Over the past couple of years, they’ve developed a number of forensic software tools to examine the evidence that standard tools can’t reach.

Here’s a quick overview of what’s on offer. Follow the links to find out more, or give us a shout by phone (01789 261200) or email ( – we’re always happy to talk geek with like-minded practitioners.

epilog allows investigators to recover deleted data from SQLite databases, a widely-used format in many devices including mobile phones, computers and SatNavs). Many off-the-shelf tools will only allow you to view live records.

PIP is our XML and plist parsing tool. It allows investigators to present often-complex data from XML files quickly, efficiently, and in a user-friendly format. Apple’s property list files – both XML and binary formats – present no obstacle to PIP at all.

dunk! is a splendidly-named tool for digging around in cookies. Unlike standard tools, it analyses known cookie types to uncover potential new evidence and help give context to other browser artefacts. This includes showing the path the user took to arrive at a particular webpage by parsing Google Analytics cookies, revealing a wealth of information previously unavailable to practitioners.

rubus  is FREE! We like to give a little love back to the community, so with this in mind, we made our BlackBerry backup deconstruction tool available. Not having found a tool that would do the job, we made our own – enabling analysts to reverse engineer BlackBerry backup data stored in .ipd files.

The tools all went through beta-testing first, and were pronounced ready to unleash upon the world. Since then, they’ve been subject to an introductory pricing period, and have been bought and used successfully around the world.

Now that we’re confident in the tools we’ve developed, we’re also confident in their value to our customers. So with that in mind, if you haven’t bought the tools already, you may want to think about doing so! The introductory pricing period finishes at the end of March – and although they’ll still be extremely good value for money, they will be a little more expensive.

We’ve had useful feedback from our customers in the past, which has helped us to further develop our tools, and we always welcome comments and suggestions on our software. Feel free to comment below, or get in touch with us in more traditional ways!

PIP II: More about XPaths

Never one to break my word, I’d like to welcome you to PIP: The Video part II, as promised in the first video.

We’ll take a more in-depth look at XPaths, and show you in a little more detail how PIP can help you to get more out of digital investigations.

If you’d like more information about PIP, or have any suggestions for additions to the library, please contact us on

Alex Caithness

PIP developer

Parsing XML and Plist files the cool way

You probably know that XML is a common format for storing data. It’s found on a wide range of devices and platforms, including PCs, smartphones and sat navs. XML is text-based, but not often user-friendly when served raw, as you can see:

Not so user friendly...

Because of its non-user-friendly nature, analysts or investigators often have to manually manipulate large amounts of data in order to understand its meaning and structure.

There’s a similar situation with Apple’s property list (plist) files, which can be stored in XML or binary format. Either way, they’re not terribly easy to use.

So – what makes it easier for analysts?

XPath is a query language designed for getting data out of XML files in a structured way and we’ve developed a piece of software called PIPwhich takes advantage of this in order to simplify the presentation of the often-complex data stored in the files.

The power to create XPath queries was placed right at the centre of PIP so that if you come up against unfamiliar data PIP empowers you to write a query which you can then reuse. However, being analysts ourselves, we have already encountered a number of situations where we have used PIP and as such, PIP comes preloaded with a substantial library of XPath queries for many common files.

PIP doesn’t just make raw data easier to read, though; it saves a considerable amount of time for analysts. PIP can be used to parse individual files; however where it really comes into its own and saves significant amounts of time is where it allows you to process many files at once.

For example: PIP processed 263 Facebook application files from an iPhone image in four seconds, returning 1,800 records (including profile views, chat history, photo views with comments, and URLs).

The say a (moving) picture is worth a thousand words – so take a look at our video and see what PIP can do for you.

Alex Caithness

PIP Developer

Deconstructing BlackBerry files the easy way

According to Wikipedia, Rubus is a large genus of flowering plants in the rose family, Rosaceae, subfamily Rosoideae. Blackberries, raspberries, and dewberries are common, widely distributed members of the genus.

That’s why the tool is named Rubus. It’s a free tool that allows investigators to reverse engineer raw BlackBerry data.

So – why do you need it?

You probably know that BlackBerry phones create an .ipd file when the device is backed up, and that a number of forensic tools will parse contacts, SMS, etc. from these files. Standard tools, though, may not show you the whole picture.

Although some tools may enable analysts to look at the extra data in a hex editor, this makes the data unwieldy and presents it without any meaningful structure. Rubus allows digital investigators to view all the data contained in the .ipd files in a structured fashion, providing access to a wealth of data that may prove crucial to a case.

What missing data?

Here’s an example. The third-party SMS application CrunchSMS stores messages in its own format in a table within the .ipd file – but they’re not stored in the BlackBerry’s SMS storage location. Rubus extracts this data and presents it in a usable format.

Where can I find it?

Rubus is available to download from our website, along with CCL’s other digital forensics software tools Epilog and PIP. Remember, it’s free – so take a look and find out how it can help your case.