Skip to main content

Quarantine Events

When a user downloads files from the Internet, applications/macOS will often apply a quarantine attribute to the file to indicate it was downloaded online. These events are tracked in a sqlite file at:

  • ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

Collection

You have to use the artemis api in order to parse Quarantine Event data.

Sample API Script

import { quarantineEvents } from "https://raw.githubusercontent.com/puffycid/artemis-api/master/mod.ts";

function main() {
  const results = quarantineEvents();
  console.log(results);
}

Output Structure

An array of MacosQuarantine objects

export interface MacosQuarantine {
  path: string;
  events: QuarantineEvent[];
}
export interface QuarantineEvent {
  id: string;
  timestamp: string;
  bundle_id?: string;
  agent_name: string;
  url_string?: string;
  sender_name?: string;
  sender_address?: string;
  type: QuarantineType;
  origin_title?: string;
  origin_url?: string;
  origin_alias?: string;
}

export enum QuarantineType {
  WEBDOWNLOAD = "WebDownload",
  DOWNLOAD = "Download",
  EMAILATTACHMENT = "EmailAttachment",
  MESSAGEATTACHMENT = "MessageAttachment",
  CALENDARATTACHMENT = "CalendarAttachment",
  ATTACHMENT = "Attachment",
  UNKNOWN = "Unknown",
}