Extended Attributes
Overview
Section titled “Overview”Evidence: Extended Attributes
Description: Collect Extended File Attributes
Category: DiskFilesystem
Platform: macos
Short Name: extattr
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Extended attributes (xattr) are name-value pairs associated with files and directories that store additional metadata beyond standard file attributes. On macOS, these attributes are extensively used to track file quarantine status, download sources, Finder information, and DMG file metadata. This data is essential for understanding file provenance, detecting suspicious downloads, and investigating file-based incidents.
Data Collected
Section titled “Data Collected”This collector gathers structured data about extended attributes.
Extended Attributes Data
Section titled “Extended Attributes Data”| Field | Description | Example |
|---|---|---|
Path | Path | Example value |
AttributeName | Attribute Name | Example value |
AttributeValue | Attribute Value | Example value |
AttributeSize | Attribute Size | 123 |
AttributeValueHex | Attribute Value Hex | Example value |
FileExists | File Exists | true |
FileSize | File Size | 123 |
FileModificationTime | File Modification Time | 2023-10-15 14:30:25+03:00 |
QuarantineFlags | Quarantine Flags | Example value |
QuarantineAgent | Quarantine Agent | Example value |
QuarantineTimestamp | Quarantine Timestamp | 2023-10-15 14:30:25+03:00 |
QuarantineUUID | Quarantine UUID | Example value |
WhereFromsURLs | Where Froms UR Ls | Example value |
FinderInfoHex | Finder Info Hex | Example value |
DMGChecksumType | DMG Checksum Type | Example value |
DMGChecksum | DMG Checksum | Example value |
DMGChecksumTimestamp | DMG Checksum Timestamp | 2023-10-15 14:30:25+03:00 |
Collection Method
Section titled “Collection Method”This collector recursively scans configurable directories (default: /Users, /Applications) and uses the xattr package to retrieve all extended attributes for each file. It parses common macOS-specific attributes including quarantine information, download sources (kMDItemWhereFroms), Finder metadata, and DMG checksums. Results are stored in the extended_attributes table with both raw and parsed attribute values.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it reveals file download history, quarantine status, source URLs, and file handling metadata. It helps identify potentially malicious downloaded files, trace the origin of files, detect quarantine bypass attempts, and understand file interactions with system features like Gatekeeper.