Extended Attributes

Overview

Evidence: Extended Attributes Description: Collect Extended File Attributes Category: DiskFilesystem Platform: macos Short Name: extattr Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Extended attributes (xattr) are name-value pairs associated with files and directories that store additional metadata beyond standard file attributes. On macOS, these attributes are extensively used to track file quarantine status, download sources, Finder information, and DMG file metadata. This data is essential for understanding file provenance, detecting suspicious downloads, and investigating file-based incidents.

Data Collected

This collector gathers structured data about extended attributes.

Extended Attributes Data

Collection Method

This collector recursively scans configurable directories (default: /Users, /Applications) and uses the xattr package to retrieve all extended attributes for each file. It parses common macOS-specific attributes including quarantine information, download sources (kMDItemWhereFroms), Finder metadata, and DMG checksums. Results are stored in the extended_attributes table with both raw and parsed attribute values.

Forensic Value

This evidence is crucial for forensic investigations as it reveals file download history, quarantine status, source URLs, and file handling metadata. It helps identify potentially malicious downloaded files, trace the origin of files, detect quarantine bypass attempts, and understand file interactions with system features like Gatekeeper.