Try   HackMD

What are Extended Attributes (xattr) ??

Extended attributes :
They are file system features that enable users to associate computer files with metadata not interpreted by the filesystem.

They are like hidden gems within your files on macOS. These metadata components can be unique to specific files and file types, providing additional context and functionality

Common use cases for extended attributes

  1. File Management : Add tags or metadata to organize files in ways beyond conventional folder structures.
  2. Security : For example, com.apple.quarantine flag is an extended attribute in macOS that marks files from untrusted sources (e.g., internet, email) as quarantined. This security measure protects users by requiring explicit approval before opening potentially harmful files.
  3. Application-specific data : Applications can add unique extended attributes for storing data that they need to function, which may be read back upon relaunching the app.

How to find Extended Attributes in macOS ??

Files with extended attributes will have @ at the end of the permissions

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Types of Extended Attributes

There are many Extended Attributes exists on macOS, but they exist based on the action happened, like if you download a file from Safari will be a little different if you download it from Chrome, if you download a Compressed file, it will have an additional attribute related to compressed data, any file is downloaded has a Quarantine data which will tell you the application that download that file,

Attribute Related to
com.apple.decmpfs Compressed File Data
com.apple.genstore Document Versions
com.apple.security Acess Control Lists
com.apple.metadata Spotlight Metadata
com.apple.lastuseddate#PS File Usage
com.apple.diskimages Disk Image Data
com.apple.backupd Time Machine Data

How to parse these attributes ??

xattr tool in macOS system is used to parse these attributes.

xattr -xl file.dmg

You can extract binary plista data (bplist) using -p argument with a specific attribute to direct it to plutil for a standard ouput, or you can direct it to a file then read it.

xattr -p com.apple.metadata:kMDItemWhereFroms googlechrome.dmg | xxd -r -p > wherefroms.plist  
xattr -p com.apple.metadata:kMDItemWhereFroms googlechrome.dmg | xxd -r –p | plutil –p -  # standard output

Demo Time

Case 1 - Normal Download File

  • I just downloaded a file from Safari (actually not a complete download), but it will create .download file, that is the file is created till the download is finished.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

I run ls -lah to see if it has any attributes. The file ends with @ means that there are attributes with that file.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Then, ls -l@ galaga.E01.download to show me the attributes related to that file.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

  1. com.apple.quarantine : shows source application used to download the file.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

  1. com.apple.metadata:KMDItemDownloadDate : will show the time (cocoa) when download is intiated (big-endian).
xattr -p com.apple.metadata:KMDItemDownloadDate galaga.E01.download | xxd -r –p | plutil –p -

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

  1. com.apple.metadata:kMDItemWhereFroms : Tell you the where the user download that file.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

  1. com.apple.progress.fractionCompleted : as it is non completed download, it is the downloaded percentage before user stop download (5%), nearly 1G from 14.7G.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Case 2 - Last Used Date

I downloaded a doc file sample from Safari, then I opened it and edit a little bit text, then I closed it.

There will be normal attributes for download + 2 additional attributes.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

  1. com.apple.lastuseddate#PS : will show the last time in unix (8 bytes) (little-endian) the file was used.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

  1. com.apple.macl : is governed by System Integrity Protection so, you can't delete it till disable SIP, consists of a header value of 0X 00 followed by a UUID corresponding to the application permitted to access the file. The UUID is unique for each system, user and application meaning that we can’t preempt what this value will be in advance.

There’s no official documentation for it.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

I found a blog talked about how to parse these hex values to get the UUIDs

When i tried to run the scirpt it gives nothing to me.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

But All what I noticed that UUID is after 0X 00 till you get 0X 00, you will find another UUID case you opened the doc file with another application, in my case there were 2 UUIDs.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Case 3 - DMG Files

I Downloaded a dmg file then I double clicked on it.

  • There will be normal attributes like com.apple.metadata:kMDItemWhereFroms, com.apple.metadata:KMDItemDownloadDate, com.apple.quarantine
  • But, When I double clicked the dmg file, there will be 2 additional attribute.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

  1. com.apple.diskimages.fsck : File System Check information
  2. com.apple.diskimages.recentcksum : Checksum information, including a Unix epoch timestamp of when the file was downloaded

So, We can determine when the user first double click the dmg file to install it through the fsck check, which will be in ~/Library/Logs/fsck_hfs.log

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

That's it for now, Take Care!

References

  1. FOR518
  2. eclecticlight.co
  3. XPN's InfoSec Blog
  4. real-world-systems.com
Last changed by 
M4shl3 (مشعل)
Digital Forensic Examiner
0
1389

Read more

Heavy USB Forensics

In this blog post, we will delve into USB forensics, covering approximately 95% of the essential knowledge and techniques that a digital forensics examiner would require when investigating USB-related cases.

May 4, 2025
Malware Analysis – Javascript Deobfuscation

sample

Jan 31, 2025
How to Easily Trace SSH Connections on macOS Using Unified Logs

About three weeks ago, during my study of the SSH login and logout events for the FOR518 course by Sara Edwards, I became curious about how to view SSH connection records using macOS's unified logs. It’s easy to access connection details using the traditional system.log file, but I started wondering: What if this file is deleted? It’s well-known that attackers may delete logs in the /var/log/ directory to cover their tracks. So, I set out to explore how I could accurately track SSH connection times without relying on the system log.

Jan 4, 2025
A Deep Dive Into APFS Structure

By default, a macOS storage disk consists of one Apple File System (APFS) container.Each container may have multiple volumes.

Dec 1, 2024
Read more from M4shl3 (مشعل)
Published on HackMD