{
	"id": "0391741a-8b71-4ac6-a5c6-4734f04956e8",
	"created_at": "2026-04-06T00:11:44.614745Z",
	"updated_at": "2026-04-10T13:12:30.264002Z",
	"deleted_at": null,
	"sha1_hash": "be91e8fd9c715eb5030cd8e567f7a854db2f2a48",
	"title": "There’s more to files than data: Extended Attributes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 274327,
	"plain_text": "There’s more to files than data: Extended Attributes\r\nPublished: 2020-10-24 · Archived: 2026-04-05 18:22:19 UTC\r\nThe attributes of a file include metadata which is common to many or all files, such as their name and date of\r\ncreation. Extended attributes, or xattrs, are metadata which apply only to specific files, and aren’t used by the\r\ngreat majority: they’re options used for particular purposes.\r\nIn Classic Mac OS, many files have resource forks to contain structured metadata: a classic app, for example,\r\nstores definitions of windows, menus, dialogs, etc., in its resource fork. In macOS 10 and 11, files and folders can\r\nalso have other named forks, which are implemented as extended attributes; a resource fork becomes resource\r\nmetadata in a xattr of type com.apple.ResourceFork . Although sometimes claimed to be a quirk of Macs,\r\nextended attributes are now quite widely used in other file systems, in Linux and BSD, for example.\r\nmacOS and applications use xattrs for various purposes. One of the most prominent is implementing the\r\nquarantine flag which indicates that a file has been downloaded from the internet and requires full security checks.\r\nOther xattrs might attach details of the website from which a file was downloaded, copyright information, and\r\nmore. They’re not normally used to store content-specific metadata such as EXIF for images, or those associated\r\nwith other media files, which are normally incorporated within the file data to ensure their preservation on all file\r\nsystems.\r\nStorage\r\nIn Mac native file systems such as APFS, extended attributes aren’t stored with the main data for files, but in the\r\nAttributes area of the volume metadata. As such they’re out of reach of normal file tools, and can only be accessed\r\nusing those specifically intended to work with xattrs. Each file and folder can have an effectively unlimited\r\nnumber of xattrs, each of which can be more than 100 KB.\r\nBecause they’re part of the volume metadata, some versions of macOS may not include the space occupied by\r\nthem when calculating free and used disk space. It’s possible to fill a volume with extended attributes and run it\r\nout of free space, and that space may also be ignored by services which manage storage use, for example space\r\nallocations for clients in a server system. These should be pathological problems, but could also result from\r\nmalicious activity.\r\nMost file systems to which macOS can write either handle xattrs natively (HFS+, APFS), or macOS uses a scheme\r\nto preserve them. NFS is an important exception, and files copied to NFS will have all their xattrs stripped. Other\r\nfile systems, including those popular with Linux, may impose stricter limits than APFS on the number and size of\r\nxattrs.\r\nTypes\r\nXattrs are almost universally named using a type signature similar to an app ID, which reads like a URL\r\nbackwards, although that isn’t required and you may still encounter older names such as AppCrashCount and\r\nos_version .\r\nhttps://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/\r\nPage 1 of 6\n\nThe following types are examples of those most commonly encountered:\r\ncom.apple.FinderInfo is found very widely, and contains (a little) Finder information, sometimes\r\nincluding the old file type and creator strings.\r\ncom.apple.ResourceFork is a resource fork.\r\ncom.apple.rootless marks items which are protected by SIP.\r\ncom.apple.quarantine marks files which have been downloaded from the internet, and contains their\r\nGatekeeper status, indicating whether they still require full checking, have passed a full check, and have\r\nbeen run on that Mac.\r\ncom.apple.metadata is for metadata generally, and is usually qualified by a subtype, such as those below.\r\nMetadata subtypes (confusingly termed attributes by Apple) commonly encountered include:\r\n_kMDItemUserTags contains Finder tag information\r\nkMDLabel_ is normally serialised with a string of apparently random letters\r\nkMDItemDownloadedDate gives the datestamp for when a downloaded item was obtained\r\nkMDItemWhereFroms gives the URL from which a downloaded item was obtained\r\nkMDItemIsScreenCapture, kMDItemScreenCaptureGlobalRect, and kMDItemScreenCaptureType for\r\nscreenshots.\r\nExamples of compound types include com.apple.metadata:kMDItemWhereFroms and\r\ncom.apple.metadata:kMDLabel_jwzqfxqstyro4udfe2psoz7kyi , which has a serialised subtype.\r\nDetection\r\nMetadata stored in xattrs is usually hidden from the user, although Finder’s Get Info may show the content of\r\nsome xattrs such as com.apple.metadata:kMDItemDownloadedDate and kMDItemWhereFroms . Some third-party\r\napps may expose relevant metadata. For example, better text editors show and allow the setting of the information\r\nstored in com.apple.TextEncoding , which records the encoding scheme used by many text files.\r\nIn Terminal, the most reliable way of discovering whether one or more xattrs are associated with a file or folder is\r\nusing the command ls -la . Resulting listings append the at sign @ at the end of the permissions flags to\r\nindicate that item has associated xattrs:\r\ndrwxr-xr-x@ 254 hoakley staff 8636 24 Jul 18:39 miscDocs\r\nTools\r\nThe standard command tool for working with xattrs is the command xattr . xattrs are listed with\r\nxattr -l itempath\r\nwhere itempath is the path to the file or folder to be examined.\r\nCopying xattrs using this command is complex, and requires writing the xattr which is printed in hex form, e.g.\r\nxattr -wx com.apple.FinderInfo \"`xattr -px com.apple.FinderInfo thisitem`\" thatitem\r\ncopies the com.apple.FinderInfo xattr from thisitem to thatitem .\r\nIf you’d prefer to use GUI apps to work with xattrs, I have a collection here, including:\r\nhttps://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/\r\nPage 2 of 6\n\nxattred, a full-featured xattr editor which can do almost anything you want with xattrs, and can also attach\r\nquarantine flags if you wish to test that apps can clear Gatekeeper’s checks;\r\nMetamer, a simple editor for text-based xattrs, including 16 standard types which are indexed by Spotlight;\r\nPratique, to mark document quarantine flags as clear;\r\nSandstrip, to remove spurious quarantine flags;\r\nSearchKey and SearchKeyLite, which edit five major xattr types generally useful in document metadata;\r\nPrecize from this page gives detailed size information and a listing of xattrs for individual files;\r\ncmpxat , a command tool to compare the xattrs of two files and report all differences between them.\r\nhttps://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/\r\nPage 3 of 6\n\nXattred is a highly capable xattr editor.\r\nhttps://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/\r\nPage 4 of 6\n\nMetamer is a lightweight editor for text-based xattrs which can be used in Spotlight searches.\r\nCommon Problems\r\nProblems with xattrs have been relatively uncommon, but are usually difficult to identify and diagnose because of\r\ntheir poor visibility. Perhaps their most common problem is that most measures of a file’s size forget to include the\r\nsize of any xattrs. Although usually small in comparison to the size of file data, increasing use of xattrs can result\r\nin some puzzling discrepancies. To investigate xattr size more accurately, use Precize.\r\nOver the last few years, Apple has increasingly used xattrs, both the quarantine flag com.apple.quarantine and a\r\nxattr new with Catalina, com.apple.macl , for security and privacy protection. These can lead to strange and\r\napparently intractable problems; as they’re essentially undocumented by Apple, even discovering their cause can\r\nbe difficult.\r\nOther problems arise when xattrs whose contents are important are inadvertently stripped when a file is moved to\r\na different volume or file system, such as iCloud. The latter now preserves more xattrs than it has in the past, but\r\nsome may still need special protection. Xattrs have a longstanding system for specifying when they should be\r\npreserved, but this was only documented in obscure source code. It also appends flags to the end of the xattr type\r\nname, which isn’t generally respected and can cause problems of its own.\r\nIn the command line and shell scripts, xattrs can behave unexpectedly. Some old commands, including cpio,\r\nzip , and pax , may omit xattrs unless they’re specifically included using an option: if xattrs are to be preserved\r\nwhen using such commands, you should check with the man page and preferably perform a small-scale test before\r\nproceeding.\r\nOccasionally, bugs in specific apps can attach incorrect or very large xattrs to files quite inappropriately. These\r\ncan in turn cause some services to fail, most commonly the mdworker daemon responsible for indexing metadata\r\nfor Spotlight. These usually present with bizarre symptoms, and until they are recognised as being caused by\r\nxattrs, they remain baffling.\r\nForthcoming articles will look in more detail at these different topics.\r\nReferences\r\nhttps://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/\r\nPage 5 of 6\n\nOne of the few lists of xattrs is given for com.apple.metadata subtypes in Apple’s File Metadata Attributes\r\nReference (last substantially updated in 2011).\r\nThere are many other articles on this blog, in the Category xattr, with its contents page (also listed to the right, at\r\nthe top of the widgets there).\r\nSource: https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/\r\nhttps://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/"
	],
	"report_names": [
		"theres-more-to-files-than-data-extended-attributes"
	],
	"threat_actors": [],
	"ts_created_at": 1775434304,
	"ts_updated_at": 1775826750,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/be91e8fd9c715eb5030cd8e567f7a854db2f2a48.pdf",
		"text": "https://archive.orkl.eu/be91e8fd9c715eb5030cd8e567f7a854db2f2a48.txt",
		"img": "https://archive.orkl.eu/be91e8fd9c715eb5030cd8e567f7a854db2f2a48.jpg"
	}
}