Home Articles Parsing Most Recently Used (MRU) plist files with MacMRU-Parser

Parsing Most Recently Used (MRU) plist files with MacMRU-Parser


Our digital forensics lab receives Mac computers for examination more and more often. There are some powerfull forensic suites for OS X analysis, but also there are a lot of very useful open source tools and scripts. One of such scripts is MacMRU-Parser.

MacMRU-Parser is a Python script written by Sarah Edwards and is available for downlpad from her GitHub. The script is able to parse both new SFL-based MRU plist files and “older” format plists used in OS X 10.10 and older.

The script should be run on a directory: you can use both a directory with extracted files and, for example, user directory from a mounted image.

According to Sarah’s blog, the script parses the following files:

  • /Users/<username>/Library/Preferences/<bundle_id>.LSShardFileList.plist
  • /Users/<username>/Library/Preferences/com.apple.finder.plist
  • [10.10-] /Users/<username>/Library/Preferences/com.apple.recentitems.plist
  • [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/<bundle_id>.sfl
  • [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentApplications.sfl
  • [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentDocuments.sfl
  • [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentServers.sfl
  • [10.11+] /Users/<username>/Library/Library/Application Support/com.apple.sharedfilelist/RecentHosts.sfl

In this example we are going to use this script in Windows environment. Don’t forget to install Python before trying to use it!

Ok, the first problem is how to make a Windows system mount an HFS+ partition? There is a solution! The first thing you should do is mounting the whole drive via, for example FTK Imager (read only, of course). After you could use Paragon HFS+ for Windows to access partitions. Now you can browse an HFS+ partition like regular NTFS partition.

The script we are going to use has two dependances: hexdump.py and ccl_bplist.py. Just download both and put them to the same directoty with macMRU.py.

Here is how the contents of this folder should look like:

Now start cmd.exe and change directory to the one with the script inside. Start script with the directory of your choice as the argument. In our case we have chosen the user’s directory:

Also, you can use “–blob” argument if you want to include binary BLOB hex dump of the Bookmark data.

How often do you examine Mac computers? And what tools do you usually use?

Happy forensicating!


Igor Mikhaylov & Oleg Skulkin

Load More Related Articles
Load More In Articles


  1. 3portray

    December 31, 2021 at 12:07 am


  2. dating gay macho weho

    January 2, 2022 at 5:20 pm

  3. 2relinquish

    January 13, 2022 at 12:46 am


  4. gay black chat lines

    January 14, 2022 at 12:28 pm

  5. gay dating site crossword

    January 14, 2022 at 3:31 pm

    hiv gay black men dating sites https://gaypridee.com/

  6. gay men webcam chat rooms

    January 14, 2022 at 7:12 pm

    free chat network gay https://gaytgpost.com/

  7. gay chat roullete

    January 14, 2022 at 9:03 pm

    gay chat rulette https://gay-buddies.com/