extended attributes on macos

The extended attributes table seems to be one of osquery's most useful and under-utilized tables (in my experience). The table returns all extended attributes from specified files and doesn't require any configuration or special flags. Here is an example query showing how to find where files were downloaded from, looking though all download folders.

select path, key, value, base64 from extended_attributes where path in (select path from file where directory like '/Users/%/Downloads/');

A sample of output may look like (using .mode line to prevent line wrapping):

path = /Users/admin/Downloads/test_gear.stl
   key = where_from
 value = https://cdn.thingiverse.com/assets/36/9a/5a/ec/ec/Gear.STL
base64 = 0

  path = /Users/admin/Downloads/test_gear.stl
   key = where_from
 value = http://www.thingiverse.com/thing:1273079/
base64 = 0

  path = /Users/admin/Downloads/test_gear.stl
   key = quarantine_agent
 value = Google Chrome.app
base64 = 0

  path = /Users/admin/Downloads/test_gear.stl
   key = quarantine_event_id
 value = 2930BF93-397D-4EA6-91CC-412E62942C56
base64 = 0

  path = /Users/admin/Downloads/test_gear.stl
   key = quarantine_timestamp
 value = 1486108704
base64 = 0

  path = /Users/obelisk/Downloads/$RECYCLE.BIN
   key = com.apple.FinderInfo
 value = AAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
base64 = 1

  path = /Users/obelisk/Downloads/.DS_Store
   key = com.apple.FinderInfo
 value = ICAgICAgICAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
base64 = 1

  path = /Users/obelisk/Downloads/2bY9hT4.jpg
   key = quarantine_agent
 value = Google Chrome.app
base64 = 0

the base64 field

Most of the fields are self explanatory but there is one catch. osquery will check to see if a string is printable (if it's ASCII). If it finds a non ASCII character, it will base64 encode the data and set the base64 column to one. This is what is happening for the values in $RECYCLE.BIN and .DS_Store.

uniqueness

This is also a good example because you will notice the first two entries have the same path and key but different values. This is normal for macOS downloaded files so don't make any assumptions on this being unique (group by key for example).