# Quarantine Events

## Overview

**Evidence:** Quarantine Events\
**Description:** Collect Quarantine Events Database\
**Category:** System\
**Platform:** macos\
**Short Name:** qrntn\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

This collector gathers quarantine events information from the macOS system. This data is essential for understanding download and execution origins, detecting initial access vectors, and investigating user-driven infections.

## Data Collected

This collector gathers structured data about quarantine events.

### Quarantine Events Data

| Field          | Description   | Example                   |
| -------------- | ------------- | ------------------------- |
| `User`         | User          | Example value             |
| `QuarantineID` | Quarantine ID | Example value             |
| `Timestamp`    | Timestamp     | 2023-10-15 14:30:25+03:00 |
| `Bundle`       | Bundle        | Example value             |
| `AgentName`    | Agent Name    | Example value             |
| `DataURL`      | Data URL      | Example value             |
| `SenderName`   | Sender Name   | Example value             |
| `SenderAdd`    | Sender Add    | Example value             |
| `TypeNum`      | Type Num      | 123                       |
| `OriginTitle`  | Origin Title  | Example value             |
| `OriginURL`    | Origin URL    | Example value             |
| `OriginAlias`  | Origin Alias  | Example value             |

## Collection Method

This collector copies user quarantine databases from `~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2` and parses the `LSQuarantineEvent` table.

## Forensic Value

This evidence is crucial for forensic investigations as it reveals downloaded files, source URLs, and agent processes that can indicate phishing, drive-by downloads, or malicious attachments.