Screensharing
Overview
Section titled “Overview”Evidence: Screensharing
Description: Filter screen sharing events
Category: System
Platform: macos
Short Name: sch
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”macOS screen sharing functionality is managed by screensharingd (daemon) and ScreensharingAgent processes. These handle VNC-based remote desktop sessions, allowing users to view and control the Mac remotely. Logs capture connection attempts, session establishments, and screen sharing activities.
Data Collected
Section titled “Data Collected”This collector gathers structured data about screensharing.
Collection Method
Section titled “Collection Method”This collector uses the macOS ‘log’ command with predicate-based filtering to extract screen sharing daemon and agent events over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType=‘Screensharing’.
Forensic Value
Section titled “Forensic Value”Screen sharing logs are valuable for investigating unauthorized remote access, surveillance activities, data theft, and remote control of systems. They reveal when screen sharing was enabled, connection sources, and session durations, which are critical for detecting unauthorized monitoring or remote attacks.