Parses Safari downloads for all standard macOS users
NOTE: By default Safari download history is only retained for 24 hours
name: MacOS.Applications.Safari.Downloads
description: |
Parses Safari downloads for all standard macOS users
**NOTE**: By default Safari download history is only retained for 24 hours
author: Deepak Sharma - @rxurien
type: CLIENT
precondition: SELECT OS From info() where OS = 'darwin'
parameters:
- name: DownloadsPath
default: /Users/*/Library/Safari/Downloads.plist
- name: UserRegex
default: .
- name: UploadFile
description: Upload Downloads.plist File
type: bool
sources:
- name: Downloads
query: |
LET DownloadsGlob = SELECT
parse_string_with_regex(regex="/Users/(?P<User>[^/]+)", string=FullPath).User AS User,
FullPath, Mtime, plist(file=FullPath) AS Content from glob(globs=DownloadsPath)
SELECT * FROM foreach(row=DownloadsGlob,
query={
SELECT * FROM foreach(row=Content.DownloadHistory, query={SELECT DownloadEntryDateAddedKey AS StartTime, DownloadEntryDateFinishedKey AS EndTime, User, DownloadEntryPath AS DownloadPath, DownloadEntryURL AS URL, DownloadEntryProgressBytesSoFar AS BytesDownloaded, DownloadEntryProgressTotalToLoad AS BytesTotal, DownloadEntryRemoveWhenDoneKey AS IncognitoDownload, FullPath AS FilePath from scope()})
})
- name: Upload
query: |
SELECT * FROM if(condition=UploadFile,
then={
SELECT User, FullPath AS FilePath,
upload(file=FullPath) AS FileDetails
FROM DownloadsGlob
})