This week, it’s SANSFIRE[1]! I’m participating in the FOR577[2] course (“Linux Incident Response & Threat Hunting”). On the second day, we explored the various filesystems and the arrangement of data on disk. Within the Linux environment, numerous filesystems (ext3, ext4, xfs, …) offer “extended file attributes,” also known as “xattr.” This filesystem capability allows users to append metadata to files. Such data isn’t readily accessible to the user and can encompass anything pertinent to the file (e.g., the creator’s name, a short description, …). You might roughly liken this feature to the Alternate Data Stream (ADS) found in the Windows NTFS filesystem.