Exploring macOS Extended Attributes: The Hidden Metadata You Didn’t Know Existed

These hidden pieces of metadata provide valuable information about files, including download history, quarantine status, and even timestamps.

------------------------------------------------------------------------------------------------------------

File Quarantine: macOS’s Built-in Security Check

One of macOS’s security features is file quarantine, which helps prevent malicious files from running unchecked. Whenever you download a file from the internet using Safari, Chrome, or other applications, macOS records details like:

• Download source (e.g., the website URL)

• Timestamp of download

• The application used to download the file

For instance, if you download googlechrome.dmg from Google, macOS stores this metadata in the file’s extended attributes. The next time you open it, the system will verify whether it's safe to run.

------------------------------------------------------------------------------------------------------------

Where Are These Files Stored?

By default, most downloads are saved in the ~/Downloads directory. If you haven’t cleaned it out in a while, you likely have months (or even years!) of accumulated downloads, each packed with hidden metadata.

To check if a file has extended attributes, open Terminal and run:

ls -la

If you add an @ at the end of the permissions, the file has extended attributes. To view them:

ls -l@

Decoding Extended Attributes

macOS assigns various extended attributes (xattrs) to files. Some of the most common include:

• com.apple.quarantine – Stores security-related information, including the download timestamp, application used, and quarantine event ID.

• com.apple.metadata:kMDItemWhereFroms – Contains the URL where the file was downloaded from.

xattr -p com.apple.metadata:kMDItemWhereFroms uac-3.0.0.tar.gz 

• com.apple.metadata:kMDItemDownloadedDate – Stores the download timestamp in a binary format.

  
  

To extract these attributes, use the xattr command:

xattr -p com.apple.metadata:kMDItemWhereFroms <Filename>

This will reveal the exact source from where the file originated!

------------------------------------------------------------------------------------------------------------

xattr -xl com.apple.metadata:kMDItemWhereFroms <Filename>

-------------------------------------------------------------------------------------------------------------

Different Browsers, Different Metadata

• Safari: Stores all metadata, including download date and source.

• Chrome: Does not save the kMDItemDownloadedDate attribute.

• Firefox: Only records quarantine metadata (com.apple.quarantine).

-------------------------------------------------------------------------------------------------------------

Beyond Browsers: AirDrop, Mail, and DMG Files

Extended attributes aren’t just limited to web downloads. Other macOS applications use them as well:

• AirDrop: Stores sender details and metadata about transferred files.

• Mail Attachments: On some newer systems, when an email attachment has been downloaded, a few extended attributes get attached to that file.

  
  

  com_apple_mail_dateReceived: timestamp when the email message was received

  com_apple_mail_dateSent: timestamp when the email message was sent

  com_apple_mail_isRemoteAttachment: binary value if the attachment is local (0) or remote (1)

  
  

• DMG Files: macOS adds attributes like

com.apple.diskimages.fsck to track whether a disk image has been opened.
com.apple.diskimages.recentcksum: Checksum information, including a Unix epoch timestamp of when the file was downloaded

-------------------------------------------------------------------------------------------------------------

Investigating Property Lists from Extended Attributes(You can take this another method to parse)

Some of these attributes contain binary property lists (PLISTs), which store structured information about the file. Extracting and decoding these PLISTs can reveal useful insights, such as the source of a downloaded file or other metadata added by the system.

Extracting PLIST Data from Extended Attributes

To extract an extended attribute’s content, we use the xattr command.

However, simply running xattr -p <attribute> <file> prints the data in hex format, which isn’t very useful.

For example, if we check the com.apple.metadata:kMDItemWhereFroms, we get a hex dump:

xattr -p com.apple.metadata:kMDItemWhereFroms <filename>

Converting Hex to Binary PLIST

We can use xxd with the -r (reverse) and -p (plain) options to revert the hex dump back into binary format and save it as a file:

xattr -p com.apple.metadata:kMDItemWhereFroms <filename> | xxd -r -p > wherefroms.plist

Now, wherefroms.plist contains the original property list, but it’s still in binary format. To read it in human-friendly form, we need to convert it into a readable structure.

Reading a Binary PLIST in Plaintext

To print a binary PLIST directly to the terminal in a readable format, use:

xattr -p com.apple.metadata:kMDItemWhereFroms <filename> | xxd -r -p | plutil -p -

This command chain:

1. Extracts the metadata (xattr -p).

2. Converts it from hex to binary (xxd -r -p).

3. Parses the binary PLIST into human-readable text (plutil -p -).

-------------------------------------------------------------------------------------------------------------

Final Thoughts

Extended attributes might be hidden from plain sight, but they play a crucial role in macOS’s security and file management system. Whether you’re a security researcher, a forensic investigator, or just a curious Mac user, knowing how to inspect and interpret these attributes can be incredibly useful.

---------------------------------------------------Dean---------------------------------------