As you're probably already aware, the quarantine flags are set when an agent (browser, mail client etc) saves a file to your machine. This is responsible for the warning that appears when you first try to open an application that was downloaded from the internet.
All this information is stored and there's a complete history for every user.
The first 4 digits are a set of flags that I expect are defined in quarantine.h, which appears to be a private header included in copyfile.c, within Apple's open source code.
These flags represent states, such as whether the file is quarantined or not.
On closer analysis, the kernel extension quarantine.kext is responsible for handling this and upon disassembly, we can see the function quarantine_get_flags.
Here's just a snippet of the disassembled kext
Note the formatting of the xattr output's first 4 flags with _sscanf(rbx, "%04x;") == 0x1)
This calls quarantine_get_info.
We can see here that the flags denote various states of the file on the system, with vfs being the Virtual File System and vnode is the basic representation structure of a file.
As for the rest of the xattr output, each user has a local sqlite3database that keeps a record of every item downloaded. Its location is
~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
The database has just one table LSQuarantineEvent. You can read all the data by using the sqlite3 command in the terminal
sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "select * from LSQuarantineEvent;"
If you filter the results (grep or alternative) you'll be able to match up the GUID that makes up the latter part of the xattr output and you'll see all the information about that particular download, including which agent was responsible for downloading the file and even the URL from where it was retrieved.
