Filesystem
Extended Attributes
Overview
macOS uses extended attributes (xattrs) to attach metadata to individual files beyond the standard filesystem attributes. Several forensically significant extended attributes are automatically set by the system, including download source URLs, quarantine flags, Finder comments, and Trash put-back paths. These per-file metadata entries persist with the file and provide provenance, classification, and lifecycle information.
Forensic Significance
| Extended Attribute | Forensic Value |
|---|---|
com.apple.quarantine | Download source application, timestamp, and UUID linking to QuarantineEventsV2 |
com.apple.metadata:kMDItemWhereFroms | Source URL and referrer URL for downloaded files |
com.apple.metadata:kMDItemFinderComment | User-set comments on files |
com.apple.trash.origpath | Original path before file was moved to Trash |
com.apple.metadata:kMDItemDownloadedDate | When the file was downloaded |
com.apple.lastuseddate#PS | Last time the file was opened |
Reading Extended Attributes
# List all xattrs on a file
xattr -l /path/to/file
# Read specific xattr
xattr -p com.apple.quarantine /path/to/file
# Read binary plist xattr (Where-From URLs)
xattr -px com.apple.metadata:kMDItemWhereFroms /path/to/file | xxd -r -p | plutil -convert xml1 -o - -
# Read all xattrs recursively
find ~/Downloads -maxdepth 1 -exec xattr -l {} \; 2>/dev/null
Key Extended Attributes
com.apple.quarantine
Set on every file downloaded from the internet via a quarantine-aware application.
Format: flag;timestamp;agent_name;uuid
| Field | Description |
|---|---|
flag | Hex bitmask (0x0001 = quarantine flag set, 0x0040 = user approved) |
timestamp | Hex-encoded seconds since 2001-01-01 |
agent_name | Name of the downloading application |
uuid | Links to LSQuarantineEventIdentifier in QuarantineEventsV2 database |
Example: 0083;65a1b3c4;Safari;ABCD1234-5678-90EF-GHIJ-KLMNOPQRSTUV
com.apple.metadata:kMDItemWhereFroms
A binary plist containing an array of URLs:
| Index | Description |
|---|---|
| 0 | Direct download URL |
| 1 | Referrer URL (page that linked to the download) |
# Extract Where-From URLs
xattr -px com.apple.metadata:kMDItemWhereFroms file.dmg | \
xxd -r -p | plutil -convert json -o - - | python3 -m json.tool
com.apple.metadata:kMDItemFinderComment
Plain-text string set by the user via Finder's "Get Info" panel. May contain user notes about the file.
com.apple.trash.origpath
Set when a file is moved to Trash. Contains the original absolute path of the file before deletion.
xattr -p com.apple.trash.origpath ~/.Trash/deleted-file.txt
# Output: /Users/name/Documents/deleted-file.txt
com.apple.metadata:kMDItemDownloadedDate
Binary plist containing the date the file was downloaded. This is separate from the filesystem creation date and survives file moves.
com.apple.lastuseddate#PS
Binary data containing the last time the file was opened by the user. Updated independently of filesystem access time (which macOS may defer for performance).
Analysis Notes
- Download provenance chain: Combining
com.apple.quarantine(agent and timestamp),kMDItemWhereFroms(source and referrer URLs), andkMDItemDownloadedDate(download time) provides a complete provenance record for any downloaded file. - Anti-forensics detection: The removal of quarantine attributes (
xattr -d com.apple.quarantine file) is a common anti-forensics technique. Files without quarantine attributes that are known to have been downloaded may indicate deliberate evidence removal. - Trash forensics: The
com.apple.trash.origpathattribute reveals where deleted files originally resided, providing context about the file's purpose and the user's organisational structure. - Cross-volume persistence: Extended attributes travel with files when copied between APFS/HFS+ volumes (but may be stripped when copying to non-Apple filesystems like FAT32 or NTFS).
- Spotlight integration: The
kMDItem*attributes are indexed by Spotlight and can be searched usingmdfind:mdfind "kMDItemWhereFroms == '*example.com*'"
Tool Support
| Tool | Support |
|---|---|
| macfor | Not yet implemented (planned) |
| xattr (macOS built-in) | Read and write extended attributes |
| mdls (macOS built-in) | Display Spotlight metadata including xattrs |
| mdfind (macOS built-in) | Search by extended attribute values |
| AXIOM (Magnet) | Commercial xattr analysis |
References
- Apple Extended Attributes Documentation
- macOS Quarantine Extended Attribute
- Forensics Wiki - Mac OS X Extended Attributes
- SANS FOR518: Mac and iOS Forensic Analysis