### What are Extended Attributes (xattr) ?? **Extended attributes** : They are file system features that enable users to associate computer files with metadata not interpreted by the filesystem. They are like hidden gems within your files on macOS. These metadata components can be unique to specific files and file types, providing additional context and functionality ### Common use cases for extended attributes 1. **File Management** : Add tags or metadata to organize files in ways beyond conventional folder structures. 2. **Security** : For example, `com.apple.quarantine` flag is an extended attribute in macOS that marks files from untrusted sources (e.g., internet, email) as quarantined. This security measure protects users by requiring explicit approval before opening potentially harmful files. 3. **Application-specific data** : Applications can add unique extended attributes for storing data that they need to function, which may be read back upon relaunching the app. ### How to find Extended Attributes in macOS ?? Files with extended attributes will have `@` at the end of the **permissions**  ### Types of Extended Attributes There are many Extended Attributes exists on macOS, but they exist based on the action happened, like if you download a file from Safari will be a little different if you download it from Chrome, if you download a Compressed file, it will have an additional attribute related to compressed data, any file is downloaded has a Quarantine data which will tell you the application that download that file,..... | Attribute | Related to | -------- | -------- | com.apple.decmpfs | Compressed File Data |com.apple.quarantine |Quarantine Data |com.apple.genstore|Document Versions |com.apple.security|Acess Control Lists |com.apple.metadata|Spotlight Metadata |com.apple.lastuseddate#PS|File Usage |com.apple.diskimages|Disk Image Data |com.apple.backupd|Time Machine Data ### How to parse these attributes ?? `xattr` tool in macOS system is used to parse these attributes. ``` xattr -xl file.dmg ``` You can extract binary plista data (bplist) using `-p` argument with **a specific attribute** to direct it to `plutil` for a standard ouput, or you can direct it to a file then read it. ``` xattr -p com.apple.metadata:kMDItemWhereFroms googlechrome.dmg | xxd -r -p > wherefroms.plist xattr -p com.apple.metadata:kMDItemWhereFroms googlechrome.dmg | xxd -r –p | plutil –p - # standard output ``` ### Demo Time #### Case 1 - Normal Download File - I just downloaded a file from Safari (actually not a complete download), but it will create .download file, that is the file is created till the download is finished.  I run `ls -lah` to see if it has any attributes. The file ends with `@` means that there are attributes with that file.  Then, `ls -l@ galaga.E01.download` to show me the attributes related to that file.  1. `com.apple.quarantine` : shows source application used to download the file.  2. `com.apple.metadata:KMDItemDownloadDate` : will show the time (cocoa) when download is intiated (big-endian). ``` xattr -p com.apple.metadata:KMDItemDownloadDate galaga.E01.download | xxd -r –p | plutil –p - ```  3. `com.apple.metadata:kMDItemWhereFroms` : Tell you the where the user download that file.  4. `com.apple.progress.fractionCompleted` : as it is non completed download, it is the downloaded percentage before user stop download (5%), nearly 1G from 14.7G.  #### Case 2 - Last Used Date I downloaded a doc file sample from Safari, then I opened it and edit a little bit text, then I closed it. There will be normal attributes for download + 2 additional attributes.  1. `com.apple.lastuseddate#PS` : will show the last time in `unix` `(8 bytes)` (little-endian) the file was used.   2. `com.apple.macl` : is governed by System Integrity Protection so, you can't delete it till disable SIP, consists of a header value of `0X 00` followed by a `UUID` corresponding to the application permitted to access the file. The UUID is unique for each system, user and application meaning that we can’t preempt what this value will be in advance. > There’s no official documentation for it.  I found a [blog](https://www.brunerd.com/blog/2020/01/07/track-and-tackle-com-apple-macl/) talked about how to parse these hex values to get the UUIDs When i tried to run the scirpt it gives nothing to me.  But All what I noticed that UUID is after `0X 00` till you get `0X 00`, you will find another `UUID` case you opened the doc file with another application, in my case there were 2 UUIDs.  #### Case 3 - DMG Files I Downloaded a `dmg` file then I double clicked on it. - There will be normal attributes like `com.apple.metadata:kMDItemWhereFroms`, `com.apple.metadata:KMDItemDownloadDate`, `com.apple.quarantine` - But, When I double clicked the dmg file, there will be 2 additional attribute.  1. `com.apple.diskimages.fsck` : File System Check information 2. `com.apple.diskimages.recentcksum` : Checksum information, including a Unix epoch timestamp of when the file was downloaded So, We can determine when the user first double click the dmg file to install it through the fsck check, which will be in `~/Library/Logs/fsck_hfs.log`  That's it for now, Take Care! <iframe src="https://giphy.com/embed/26AHC0kdj8IeLkmBy" width="480" height="427" style="" frameBorder="0" class="giphy-embed" allowFullScreen></iframe><p><a href="https://giphy.com/gifs/end-fin-the-26AHC0kdj8IeLkmBy"></a></p> #### References 1. [FOR518](https://www.sans.org/cyber-security-courses/mac-and-ios-forensic-analysis-and-incident-response/) 2. [eclecticlight.co](https://eclecticlight.co/2020/01/30/quarantine-sip-and-macl-macos-per-file-security-controls/) 3. [XPN's InfoSec Blog](https://blog.xpnsec.com/we-need-to-talk-about-macl/) 4. [real-world-systems.com](https://www.real-world-systems.com/docs/xattr.1.html)