From 94c72038ce2c9a7d36c9ba552ea030e0e987ce6d Mon Sep 17 00:00:00 2001
From: "Yogesh Khatri (@swiftforensics)" <yogesh@swiftforensics.com>
Date: Wed, 21 May 2025 12:28:21 +1000
Subject: [PATCH] Add Xattr fetch to MacOS.Search.Filefinder

---
 artifacts/definitions/MacOS/Search/FileFinder.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/artifacts/definitions/MacOS/Search/FileFinder.yaml b/artifacts/definitions/MacOS/Search/FileFinder.yaml
index cd55bcccbe..8ac1a93ef2 100644
--- a/artifacts/definitions/MacOS/Search/FileFinder.yaml
+++ b/artifacts/definitions/MacOS/Search/FileFinder.yaml
@@ -50,6 +50,10 @@ parameters:
     default:
     description: A yara rule to search for matching files.
 
+  - name: Fetch_Xattr
+    default: N
+    type: bool
+    
   - name: Upload_File
     default: N
     type: bool
@@ -127,6 +131,9 @@ sources:
                if(condition=Upload_File and Mode.IsRegular,
                   then=upload(file=OSPath,
                               accessor="file")) AS Upload,
+               if(condition=Fetch_Xattr,
+                  then=xattr(filename=OSPath,
+                              accessor="file")) AS XAttr,
                if(condition=Calculate_Hash and Mode.IsRegular,
                   then=hash(path=OSPath,
                             accessor="file")) AS Hash