Extended attributes :
They are file system features that enable users to associate computer files with metadata not interpreted by the filesystem.
They are like hidden gems within your files on macOS. These metadata components can be unique to specific files and file types, providing additional context and functionality
com.apple.quarantine
flag is an extended attribute in macOS that marks files from untrusted sources (e.g., internet, email) as quarantined. This security measure protects users by requiring explicit approval before opening potentially harmful files.Files with extended attributes will have @
at the end of the permissions
There are many Extended Attributes exists on macOS, but they exist based on the action happened, like if you download a file from Safari will be a little different if you download it from Chrome, if you download a Compressed file, it will have an additional attribute related to compressed data, any file is downloaded has a Quarantine data which will tell you the application that download that file,…
Attribute | Related to |
---|---|
com.apple.decmpfs | Compressed File Data |
com.apple.genstore | Document Versions |
com.apple.security | Acess Control Lists |
com.apple.metadata | Spotlight Metadata |
com.apple.lastuseddate#PS | File Usage |
com.apple.diskimages | Disk Image Data |
com.apple.backupd | Time Machine Data |
xattr
tool in macOS system is used to parse these attributes.
You can extract binary plista data (bplist) using -p
argument with a specific attribute to direct it to plutil
for a standard ouput, or you can direct it to a file then read it.
I run ls -lah
to see if it has any attributes. The file ends with @
means that there are attributes with that file.
Then, ls -l@ galaga.E01.download
to show me the attributes related to that file.
com.apple.quarantine
: shows source application used to download the file.com.apple.metadata:KMDItemDownloadDate
: will show the time (cocoa) when download is intiated (big-endian).com.apple.metadata:kMDItemWhereFroms
: Tell you the where the user download that file.com.apple.progress.fractionCompleted
: as it is non completed download, it is the downloaded percentage before user stop download (5%), nearly 1G from 14.7G.I downloaded a doc file sample from Safari, then I opened it and edit a little bit text, then I closed it.
There will be normal attributes for download + 2 additional attributes.
com.apple.lastuseddate#PS
: will show the last time in unix
(8 bytes)
(little-endian) the file was used.com.apple.macl
: is governed by System Integrity Protection so, you can't delete it till disable SIP, consists of a header value of 0X 00
followed by a UUID
corresponding to the application permitted to access the file. The UUID is unique for each system, user and application meaning that we can’t preempt what this value will be in advance.There’s no official documentation for it.
I found a blog talked about how to parse these hex values to get the UUIDs
When i tried to run the scirpt it gives nothing to me.
But All what I noticed that UUID is after 0X 00
till you get 0X 00
, you will find another UUID
case you opened the doc file with another application, in my case there were 2 UUIDs.
I Downloaded a dmg
file then I double clicked on it.
com.apple.metadata:kMDItemWhereFroms
, com.apple.metadata:KMDItemDownloadDate
, com.apple.quarantine
com.apple.diskimages.fsck
: File System Check informationcom.apple.diskimages.recentcksum
: Checksum information, including a Unix epoch timestamp of when the file was downloadedSo, We can determine when the user first double click the dmg file to install it through the fsck check, which will be in ~/Library/Logs/fsck_hfs.log
That's it for now, Take Care!