osquery - How can I retrieve a file origin using osquery?

Question

I'm using osquery on Windows and I need help: I want to retrieve the file origin of a specific file. For example I download a file from http://example.com and I'm looking for a query on osquery that show me the info that I download that specific file from http://example.com (or something like this). I thought that to derive this information I can compare the timestamps between the table file and the table routes but there isn't the column timestamp in routes. How can I do that?

Answer 1

I don't see a table for this on windows, although the information is available on the system through ADS(see this answer). I would open an issue for this on the osquery repo, it would be a valuable table to have.

You can use the extended_attributes table. For example:

osquery> select path, key, value, base64 from extended_attributes where path ='/Users/victor/Downloads/osqueryi.zip';
  path = /Users/victor/Downloads/osqueryi.zip
   key = com.apple.lastuseddate#PS
 value = eynzWgAAAAAbZEQgAAAAAA==
base64 = 1

  path = /Users/victor/Downloads/osqueryi.zip
   key = where_from
 value = https://files.slack.com/files-pri/T04QVKUQG-FALAL3WP2/download/osqueryi.zip
base64 = 0
osquery>

Answer 2

+1 on what @groob mentioned, this'd be a nice table to have and I think we've wanted it for some time. I thought we already had an issue cut for this, but I went ahead and made a new one as simple searches wasn't turning anything up. Thanks for the question :) https://github.com/facebook/osquery/issues/5250