How this post came about
I spent a few days looking into HFS+ flags and attributes. This began as a way demonstrate why the malware that was accidentally distributed with the Transmission was unable to encrypt Time Machine backups. OS X flags the backups as system immutable and OSX.KeRanger.A was not designed to get around that particular scenario. You still need to have multiple backups that include an offline copy.
Apple’s OS X leverages extended attributes for many things. Some are presented as features to the user (Tags in Finder) while others are not. I poked around with attributes and zeroed in on one in particular: com.apple.quarantine. After a few days of fun I decided that I had enough information to make a blog post about it. This post isn’t exhaustive and I had to cut a lot out due to it bleeding into larger topics that are better suited to have their own post. I will follow up on on this post and likely have more to cover those topics.
Working with HFS+ extended attributes
Two programs stand out that let us display and manipulate attributes. More importantly they are both included in a default OS X installation.
- ls – The OS X build of comes with an -@ flag. This option displays extended attribute keys and sizes.
- xattr – We use xattr to display and manipulate extended attributes. Read the man page as there are many useful options.
Here is an example of both commands:
osx: ~user$ touch ~/example osx:~ user$ xattr -w com.example.attribute 'Hello, World!' ~/example osx:~ user$ ls -lh@ ~/example -rw-r--r--@ 1 user staff 0B Mar 31 10:04 /var/root/example com.example.attribute 13B osx:~ user$ xattr -p com.example.attribute ~/example Hello, World!
In the above example we created an empty file with touch, added the extended attribute com.example.attribute with xattr, listed the attributes with ls, and printed the attribute contents with xattr.
The com.apple.quarantine attribute
Though not exclusive to this action, OS X will create the com.apple.quarantine extended attribute is when a file is downloaded from a web browser. Go to the DB Browser for SQLite homepage and download the latest build for OS X. We will use this software in Part II of this blog post. After the download completes use Terminal and list the attributes.
osx:~ user$ ls -lh@ ~/Downloads/sqlitebrowser-3.8.0v5.dmg -rw-r--r--@ 1 user staff 11M Mar 31 10:06 /Users/user/Downloads/sqlitebrowser-3.8.0v5.dmg com.apple.metadata:kMDItemWhereFroms 585B com.apple.quarantine 63B
Two attributes should be listed. The first is com.apple.metadata:kMDItemWhereFroms and the second is com.apple.quarantine. Let’s focus on the com.apple.quarantine attribute and use xattr to print the attribute value.
osx:~ user$ xattr -p com.apple.quarantine ~/Downloads/sqlitebrowser-3.8.0v5.dmg 0001;56fd591f;Google Chrome;A5247E51-926A-4D54-A4C0-78B47CC60A7F
The com.apple.quarantine attribute has four fields, each separated by a semicolon. From left to right:
- Field one
- Attribute time stamp
- Agent name
- Quarantine event identifier
I am unable to get a repeatable result to verify that this field affects the system in a meaningful way. I highly doubt that this field is benign. I’ll try to play with it more and follow up on it in the second entry on this topic.
I was extremely tempted to coordinate this field with the LSQuarantineTypeNumber key field in the com.apple.LaunchServices.QuarantineEventsV2 database. (Which I will refer to as the QuarantineEvents database from now on.) This does not occur in the case of this particular field.
Attribute time stamp
This field is a Unix time value (a decimal value) displayed in hexadecimal. This is a timestamp of when the attribute was created. We can convert it to a human-readable value by using the date command.
osx:~ user$ date -r $((0x56f9dd87)) Thu Mar 31 10:06:39 MST 2016
The Agent Name field is derived from the file name of the application used to download the file. In our case this field is a web browser. You can verify that the file name of the browser affects this field by following the steps below.
- Quit your web browser.
- Rename your browser to foo.
- Open the browser and download a different file. (I downloaded VLC media player.)
- Use xattr to view the value of the com.apple.quarantine attribute.
osx:~ user$ xattr -p com.apple.quarantine ~/Downloads/vlc-2.2.2.dmg 0001;56fd5a3e;foo;A6AC2BC6-68A5-4054-BDEA-E0F2CCF048FA
Changing the file name of the web browser also affects the LSQuarantineAgentName value in the QuarantineEvents database. More information on this database will come in a later post.
Quarantine event identifier
This is a UUID generated by OS X. The application of UUIDs is not exclusive to this field, this attribute, or attributes as a whole. Apple loves using UUIDs for just about everything.
It’s possible for this field to be null. I used three web browsers (Google Chrome, Mozilla Firefox, and Apple Safari) to test the creation of com.apple.quarantine attributes for downloaded files. When Firefox was used the com.apple.quarantine attribute always had a null Quarantine Event Identifier field. Test and verify the attribute with different browsers (or other applications) on your OS X machine.
For example: Does a file downloaded with curl have a com.apple.quarantine attribute?
osx:~ user$ curl -O https://dl.google.com/chrome/mac/stable/GGRO/googlechrome.dmg osx:~ user$ ls -lh@ ~/googlechrome.dmg
The UUID in the com.apple.quarantine attribute is a copy of the primary key (LSQuarantineEventIdentifier) in the QuarantineEvents database. We will explore this relationship, what OS X does with it, and methods to test and verify this relationship in a later post.
Behavior and value of com.apple.quarantine
I wanted to post a few quick notes about some behavior that will and will not modify a com.apple.quarantine extended attribute. Forensic value of this (or any) piece of data is relative.
- Running touch against the file does not affect the extended attribute.
- If the file is moved on the same volume the extended attribute does not change.
- If the file is copied on the same volume the extended attribute does not change for the original file. The attribute is duplicated for the new file and the contents are the same with the exception of the Quarantine Agent Name field. Spaces are replaced with x20 – the hexadecimal representation of space. Here is an example of the attribute for both an original file and copy of it:
osx:~ user$ xattr -p com.apple.quarantine ~/example 0001;56f83722;Googlex20Chrome;CD648C26-B3B7-4105-8DC4-EAFB0F97700A
Copy of file
osx:~ user$ xattr -p com.apple.quarantine ~/example-copy 0001;56f83722;Googlex20Chrome;CD648C26-B3B7-4105-8DC4-EAFB0F97700A
- Copying or moving the file to a different HFS+ volume results in the same behavior as the previous bullet point.
What we have is an extended attribute that is resistant to some normal user behavior (copying and moving files) as well as suspect behavior. (Using touch to modify the timestamp of the file.) Test and verify the above bullet points before you take my word for it. If you get a different result than what I have listed here, please let me know.
The information contained within the com.apple.quarantine attribute has the potential to be valuable.
I would have liked to cover all of the material that I wanted to in this single post but I also made a personal commitment to post once a week. I had been playing with these attributes for a few days and lost track of some time. Ultimately I decided to split up the material into multiple (hopefully only two) posts. This may not be the most convenient delivery but it ensures that a delivery was made.
Sometimes life is about handing in current progress instead of holding out for the final draft. Besides, this blog is informal and for fun.