Security & Privacy
Quarantine Events
Overview
macOS maintains a quarantine events database that records metadata about every file downloaded from the internet. When a file is downloaded via a browser, email client, or other quarantine-aware application, macOS records the source URL, referrer URL, downloading application, and timestamp. This data persists even if the downloaded file is subsequently deleted, making it an invaluable forensic artifact for tracking file provenance.
The quarantine system has two components: the per-file com.apple.quarantine extended attribute (set on each downloaded file) and the centralised QuarantineEventsV2 SQLite database (which maintains a historical log).
Forensic Significance
| Evidence Type | Forensic Value |
|---|---|
| Download URLs | Where files were downloaded from (including C2, phishing, malware hosting) |
| Referrer URLs | What page led to the download (search results, email links) |
| Downloading app | Which application performed the download (browser, curl, email) |
| Download timestamps | Precise timeline of file acquisition |
| Agent bundle IDs | Application responsible for the download |
| Historical persistence | Records survive file deletion |
File Locations
| Artifact | Path | Format |
|---|---|---|
| Quarantine Events DB | ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 | SQLite |
| Per-file quarantine xattr | com.apple.quarantine (extended attribute on each file) | String |
Database Schema
LSQuarantineEvent table
| Column | Type | Description |
|---|---|---|
LSQuarantineEventIdentifier | TEXT | Unique event UUID |
LSQuarantineTimeStamp | REAL | Core Data timestamp (seconds since 2001-01-01) |
LSQuarantineAgentBundleIdentifier | TEXT | Bundle ID of downloading app |
LSQuarantineAgentName | TEXT | Display name of downloading app |
LSQuarantineDataURLString | TEXT | Source URL of the download |
LSQuarantineSenderName | TEXT | Sender name (for email attachments) |
LSQuarantineSenderAddress | TEXT | Sender email address |
LSQuarantineTypeNumber | INTEGER | Download type (0=web, 1=email, etc.) |
LSQuarantineOriginURLString | TEXT | Referrer URL (page that linked to download) |
Per-File Extended Attribute
The com.apple.quarantine xattr is a semicolon-delimited string:
flag;timestamp;agent_name;uuid
Example: 0083;6541b3a4;Safari;12345678-1234-1234-1234-123456789012
| Field | Description |
|---|---|
flag | Quarantine flags (hex bitmask) |
timestamp | Hex-encoded seconds since 2001-01-01 |
agent_name | Downloading application name |
uuid | Links to QuarantineEventsV2 database UUID |
Key Fields for Analysis
Essential Query
SELECT
LSQuarantineAgentName AS app,
LSQuarantineDataURLString AS download_url,
LSQuarantineOriginURLString AS referrer_url,
datetime(LSQuarantineTimeStamp + 978307200, 'unixepoch') AS download_time,
LSQuarantineSenderName AS sender,
LSQuarantineSenderAddress AS sender_email
FROM LSQuarantineEvent
ORDER BY LSQuarantineTimeStamp DESC;
Downloads from Suspicious Sources
-- Find downloads from non-standard ports or IP addresses
SELECT
LSQuarantineDataURLString AS url,
LSQuarantineAgentName AS app,
datetime(LSQuarantineTimeStamp + 978307200, 'unixepoch') AS time
FROM LSQuarantineEvent
WHERE LSQuarantineDataURLString LIKE '%:%[0-9][0-9][0-9][0-9]%'
OR LSQuarantineDataURLString LIKE 'http://%'
ORDER BY LSQuarantineTimeStamp DESC;
Check Per-File Quarantine Attribute
xattr -p com.apple.quarantine /path/to/downloaded/file
Timestamps
Quarantine timestamps use Core Data timestamps (seconds since 2001-01-01 00:00:00 UTC).
Unix timestamp = quarantine_timestamp + 978307200
Analysis Notes
- Survives file deletion: The quarantine events database retains records even after the downloaded file has been deleted. This makes it a reliable source for establishing that a file was once present on the system.
- Malware delivery tracking: For malware investigations, the quarantine database reveals the entire download chain — which URL the malware was downloaded from, what page referred to it, and which application performed the download.
- Email attachment tracking: When email attachments are saved, the sender name and address are recorded. This connects file downloads to specific email communications.
- Anti-forensics detection: Users can clear the quarantine database or remove the xattr with
xattr -d com.apple.quarantine. An empty database on an actively used system is suspicious. - Browser correlation: Cross-reference quarantine event timestamps with browser history to build a complete narrative of the download workflow.
- UUID linking: The UUID in the per-file xattr links to a specific record in the QuarantineEventsV2 database, enabling precise correlation between a file on disk and its download metadata.
Version Differences
| macOS Version | Changes |
|---|---|
| 10.5 (Leopard) | Quarantine system introduced |
| 10.7 (Lion) | QuarantineEventsV2 database format established |
| 10.15 (Catalina) | Enhanced quarantine enforcement with notarization |
| 12 (Monterey) | Quarantine checks integrated with XProtect Remediator |
Tool Support
| Tool | Support |
|---|---|
| macfor | Not yet implemented (planned) |
| sqlite3 | Manual database inspection |
| xattr (macOS built-in) | Read per-file quarantine attributes |
| AXIOM (Magnet) | Commercial quarantine analysis |
| mac_apt | Open-source quarantine parser |