QuarantineEventsV2 (Downloaded Files Database)

Location

Description

SQLite database maintained by the macOS quarantine system that records every file downloaded through quarantine-aware applications including Safari, Chrome, Mail, AirDrop, and curl. Each entry contains the download URL, source application bundle ID, download timestamp, and the quarantine agent name.

Forensic Value

QuarantineEventsV2 provides a complete download history with source URLs that persists even after downloaded files are deleted. The LSQuarantineDataURLString field records the exact URL from which a file was downloaded, directly linking malicious payloads to their delivery infrastructure. The LSQuarantineOriginURLString captures the referring page that initiated the download, which may be the phishing page or compromised website. Entries remain in the database long after quarantine attributes are removed from files, creating a permanent download audit trail that attackers cannot clear without root access to the database file itself.

Tools Required

Collection Commands

sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "SELECT datetime(LSQuarantineTimeStamp + 978307200, 'unixepoch') AS download_date, LSQuarantineAgentName, LSQuarantineDataURLString, LSQuarantineOriginURLString FROM LSQuarantineEvent ORDER BY LSQuarantineTimeStamp DESC"

cp ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 /forensics/quarantine_events.db

python mac_apt.py -i /path/to/image -o /forensics/output QUARANTINE

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

MITRE ATT&CK Techniques

References