A script facilitating forensic analysis of macOS's extended attributes. Returns extended attributes extracted from both xattr and LSQuarantiveEventsV2 database of files received via AirDrop or downloaded using using Chrome, Firefox, Opera, Brave or Safari.
The data extracted reveals:
- for AirDropped files: file path, time received, sender name
- for files downloaded using internet browsers: file path, browser name, time downloaded, origin URL, specific data URL.
Install dependencies by running pip install -r requirements.txt.
Run python3 xattribs.py /path/to/directory/ [--db /path/to/db] [--json]
Use --db to specify the QuarantineEvents database location, if different than the default (/Users/<current logged in user name>/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2).
Use --json to print output in JSON format.
Directory containing files to be checked: /Users/George/Desktop
Directory containing the QuarantineEvents database: I don't know, help! (so - default)
Output format: easy to read please (so - default)
👉 Command to use:
python3 xattribs.py /Users/George/Desktop
Directory containing files to be checked: /Users/Nina/Desktop/forensic_evidence/files
Directory containing the QuarantineEvents database: /Users/Nina/Desktop/forensic_evidence/db/quarantine
Name of the database file: QuarantineEventsV2
Output format: JSON
👉 Command to use:
python3 xattribs.py /Users/Nina/Desktop/forensic_evidence/files /Users/Nina/Desktop/forensic_evidence/db/quarantine/QuarantineEventsV2 --json