Quarantine Events
Overview
Section titled “Overview”Evidence: Quarantine Events
Description: Collect Quarantine Events Database
Category: System
Platform: macos
Short Name: qrntn
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”This collector gathers quarantine events information from the macOS system. This data is essential for understanding download and execution origins, detecting initial access vectors, and investigating user-driven infections.
Data Collected
Section titled “Data Collected”This collector gathers structured data about quarantine events.
Quarantine Events Data
Section titled “Quarantine Events Data”| Field | Description | Example |
|---|---|---|
User | User | Example value |
QuarantineID | Quarantine ID | Example value |
Timestamp | Timestamp | 2023-10-15 14:30:25+03:00 |
Bundle | Bundle | Example value |
AgentName | Agent Name | Example value |
DataURL | Data URL | Example value |
SenderName | Sender Name | Example value |
SenderAdd | Sender Add | Example value |
TypeNum | Type Num | 123 |
OriginTitle | Origin Title | Example value |
OriginURL | Origin URL | Example value |
OriginAlias | Origin Alias | Example value |
Collection Method
Section titled “Collection Method”This collector copies user quarantine databases from ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 and parses the LSQuarantineEvent table.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it reveals downloaded files, source URLs, and agent processes that can indicate phishing, drive-by downloads, or malicious attachments.