Skip to content

Hidden password in an extended attribute

Today I was playing with some forensic challenges and I got surprised by one of them.

We had to analyse an image. My first guess was to use some steganography tools, but after an hour, I decided to move on and to research how to hide data on Mac OS X (because the challenge specified that you had to use OS X). After a few minutes on google I found the  XATTR command :


XATTR are extended attributes and similare to the “alternate data stream” on windows :

And this is how it works :

  • Open a Python shell and type in the following


as you may see, there are some attributes, and one of them is “user.comment”, after
some researches on the internet  I discovered how to print it out :

And the challenge was finished ! It was the first time I saw the extended attributes … and I found it very interesting.

That’s it.

Post a Comment

Your email is never published nor shared. Required fields are marked *