Quarantine Events

Overview

Evidence: Quarantine Events Description: Collect Quarantine Events Database Category: System Platform: macos Short Name: qrntn Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

This collector gathers quarantine events information from the macOS system. This data is essential for understanding download and execution origins, detecting initial access vectors, and investigating user-driven infections.

Data Collected

This collector gathers structured data about quarantine events.

Quarantine Events Data

Field

Description

Example

User

User

Example value

QuarantineID

Quarantine ID

Example value

Timestamp

Timestamp

2023-10-15 14:30:25+03:00

Bundle

Bundle

Example value

AgentName

Agent Name

Example value

DataURL

Data URL

Example value

SenderName

Sender Name

Example value

SenderAdd

Sender Add

Example value

TypeNum

Type Num

123

OriginTitle

Origin Title

Example value

OriginURL

Origin URL

Example value

OriginAlias

Origin Alias

Example value

Collection Method

This collector copies user quarantine databases from ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 and parses the LSQuarantineEvent table.

Forensic Value

This evidence is crucial for forensic investigations as it reveals downloaded files, source URLs, and agent processes that can indicate phishing, drive-by downloads, or malicious attachments.

PreviousQQ Web Storage NextQuick Look Cache

Last updated 3 days ago

Was this helpful?