QuarantineEventsV2 (Downloaded Files Database)

macosUser ActivityDisk Image

Location

~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

Description

SQLite database maintained by the macOS quarantine system that records every file downloaded through quarantine-aware applications including Safari, Chrome, Mail, AirDrop, and curl. Each entry contains the download URL, source application bundle ID, download timestamp, and the quarantine agent name.

Forensic Value

QuarantineEventsV2 provides a complete download history with source URLs that persists even after downloaded files are deleted. The LSQuarantineDataURLString field records the exact URL from which a file was downloaded, directly linking malicious payloads to their delivery infrastructure. The LSQuarantineOriginURLString captures the referring page that initiated the download, which may be the phishing page or compromised website. Entries remain in the database long after quarantine attributes are removed from files, creating a permanent download audit trail that attackers cannot clear without root access to the database file itself.

Tools Required

DB Browser for SQLitemac_aptCrowdstrike UACAPOLLO (mac4n6)log2timeline (Plaso)

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical