Today I was playing with some forensic challenges and I got surprised by
one of them. It was going like this : « A password is hidden … but where »

The file was an image, and my first idea was to try some steganography tools,
but after one little hour, some researches … I began to be very bored, and
asked my friend Google about hidden data on OS X.

After a few minutes I found the answer xattr
the EXTENDED ATTRIBUTES … they are kind of similar to the alternate
data stream in Windows.

It’s why I decided to explain you how it was working :

  • Open a shell and enter into Python
>>> xattr.listxattr("test.png")
(u'com.apple.metadata:kMDItemWhereFroms', u'user.comment')
>>>

as you may see … there are some attributes, and one of them is « user.comment », after
some researches on the internet ( 1 min ) I discovered how to print it out :

>>> xattr.getxattr("test.png", "user.comment")
'Password: XnHjst6&'
>>>

And the challenge was finished ! It was the first time I saw the extended attributes … and I found it very interesting.

have fun