Back to binalyze.com

Downloaded Files Information

Overview

Evidence: Downloaded Files Information Description: Collect information about downloaded files Category: System Platform: macOS Short Name: dwnlds Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

This collector gathers downloaded files information information from the macOS system. This data is essential for understanding system activity, detecting security incidents, and investigating system-related events.## Data Collected

This collector gathers structured data about downloaded files information.

Downloads Data

Field
Description
Example

ID

Primary key (auto-increment)

1

Path

File path of the downloaded file

/Users/john/Downloads/app.dmg

HostURL

Host URL from zone identifier

https://example.com

ReferrerURL

Referrer URL from zone identifier

https://google.com

ZoneID

Zone ID value from quarantine attributes

Quarantined; Has origin URL

SignStatus

Code signing status

true

Publisher

Code signing authority/publisher

Developer ID Application: Company (ABC123)

FileExists

Whether the file still exists

true

Hash

SHA-256 hash of the file

a1b2c3d4e5f6...

FileSize

File size in bytes

1048576

Modified

File modification timestamp

2023-10-15 14:30:25

Accessed

File access timestamp

2023-10-15 14:30:25

Zone ID Values

The ZoneID field provides detailed information about file quarantine status based on macOS quarantine attributes. The field contains descriptive strings separated by semicolons:

Zone ID Examples
Description

Quarantined; Has origin URL

File quarantined with origin URL (downloaded from internet)

Quarantined

File is quarantined but without specific origin information

Quarantined; Opened; Executed/launched

File was quarantined, opened, and executed

Quarantined; Saved by app

File quarantined and saved by an application

Quarantined; Needs Gatekeeper validation

File requires Gatekeeper validation

Local Machine

File not quarantined (likely local origin)

Available Quarantine Flags:

  • Quarantined: File is quarantined

  • Has origin URL: File has origin URL information

  • Saved by app: File was saved by an application

  • Opened: File has been opened

  • Executed/launched: File has been executed or launched

  • Inherited/quarantined by copy: Quarantine inherited from copy operation

  • Legacy trust bit set: Legacy trust bit is set

  • Needs Gatekeeper validation: File needs Gatekeeper validation

Collection Method

This collector:

  • Searches for all Users/*/Downloads folders

  • Recursively enumerates all files in Downloads folders

  • For each file, extracts quarantine information from extended attributes

  • Parses Zone ID values from com.apple.quarantine xattr

  • Collects file metadata including hash and signature

  • Extracts download source information using mdls command

Usage

This evidence is crucial for forensic investigations as it provides comprehensive information about downloaded files. The Zone ID field enhances analysis by providing detailed quarantine status information:

  • Quarantined; Has origin URL: Files downloaded from internet with origin tracking

  • Quarantined; Opened; Executed/launched: Files that were quarantined and then executed

  • Quarantined; Saved by app: Files saved by applications (email attachments, etc.)

  • Quarantined; Needs Gatekeeper validation: Files requiring security validation

  • Local Machine: Files not quarantined, likely created or copied locally

Investigators can use this data to identify malicious downloads, trace download sources, establish download timelines, detect phishing attack vectors, and correlate downloads with network activity. The Zone ID values provide crucial context for threat assessment and security posture evaluation.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

PreviousDocument RevisionsNextDS_Store

Last updated

Was this helpful?