My IT projects : Hidden password in an extended attribute

Today I was playing with some forensic challenges and I got surprised by one of them.

We had to analyse an image. My first guess was to use some steganography tools, but after an hour, I decided to move on and to research how to hide data on Mac OS X (because the challenge specified that you had to use OS X). After a few minutes on google I found the XATTR command :

XATTR are extended attributes and similare to the “alternate data stream” on windows :

And this is how it works :

Open a Python shell and type in the following

>> xattr.listxattr("test.png")
(u'com.apple.metadata:kMDItemWhereFroms', u'user.comment')
>>>

>> xattr.listxattr("test.png")

(u'com.apple.metadata:kMDItemWhereFroms', u'user.comment')

>>>

as you may see, there are some attributes, and one of them is “user.comment”, after
some researches on the internet I discovered how to print it out :

>>> xattr.getxattr("test.png", "user.comment")
'Password: XnHjst6&'
>>>

>>> xattr.getxattr("test.png", "user.comment")

'Password: XnHjst6&'

>>>

And the challenge was finished ! It was the first time I saw the extended attributes … and I found it very interesting.

That’s it.

My IT projects

Hidden password in an extended attribute

Post a Comment

Pages

Categories

Friends