Today I was playing with some forensic challenges and I got surprised by one of them.
We had to analyse an image. My first guess was to use some steganography tools, but after an hour, I decided to move on and to research how to hide data on Mac OS X (because the challenge specified that you had to use OS X). After a few minutes on google I found the XATTR command :
XATTR are extended attributes and similare to the “alternate data stream” on windows :
And this is how it works :
- Open a Python shell and type in the following
1 2 3 |
>> xattr.listxattr("test.png") (u'com.apple.metadata:kMDItemWhereFroms', u'user.comment') >>> |
as you may see, there are some attributes, and one of them is “user.comment”, after
some researches on the internet I discovered how to print it out :
1 2 3 |
>>> xattr.getxattr("test.png", "user.comment") 'Password: XnHjst6&' >>> |
And the challenge was finished ! It was the first time I saw the extended attributes … and I found it very interesting.
That’s it.
Post a Comment