1.9 KiB
Apple's bookmarkData format is used to encode information that can be resolved
into a URL object for a file even if the user moves or renames it. Can also
contain security scoping information for App Sandbox support.
These bookmarkData blobs are often found endcoded in data fields of Binary
Property Lists. Notable examples include:
-
com.apple.finder.plist- contains anFXRecentFoldersvalue, which is an array of ten objects, each of which consists of anameandfile-bookmarkfield, which is abookmarkDataobject for each recently accessed folder location. -
com.apple.LSSharedFileList.RecentApplications.sfl2-sfl2files are actuallyplistfiles of theNSKeyedArchiverformat. They can be parsed the same asplistfiles, but they have a more complicated tree-like structure than would typically be found, which can make locating and retrieving specific values difficult, even once it has been converted to a JSON representation. For more information about these types of files, see Sarah Edwards' excellent research on the subject (link in references).
fq's grep_by function can be used to recursively descend through the decoded
tree, probing for and selecting any bookmark blobs, then converting them to
readable JSON with torepr:
fq 'grep_by(.type=="data" and .value[0:4] == "book") | .value | apple_bookmark |
torepr' <sfl2 file>
Authors
- David McDonald @dgmcdona @river_rat_504
References
- https://developer.apple.com/documentation/foundation/url/2143023-bookmarkdata
- https://mac-alias.readthedocs.io/en/latest/bookmark_fmt.html
- https://www.mac4n6.com/blog/2016/1/1/manual-analysis-of-nskeyedarchiver-formatted-plist-files-a-review-of-the-new-os-x-1011-recent-items
- https://michaellynn.github.io/2015/10/24/apples-bookmarkdata-exposed/