Tccd
Overview
Section titled “Overview”Evidence: Tccd
Description: Filter tccd events
Category: System
Platform: macos
Short Name: tccd
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The Transparency, Consent, and Control Daemon (tccd) manages privacy permissions on macOS including camera, microphone, screen recording, accessibility, and file access permissions. It logs all permission requests, grants, and denials for applications.
Data Collected
Section titled “Data Collected”This collector gathers structured data about tccd.
Collection Method
Section titled “Collection Method”This collector uses the macOS ‘log’ command with predicate-based filtering to extract tccd process events over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType=‘Tccd’.
Forensic Value
Section titled “Forensic Value”TCC events are critical for investigating privacy violations, malware behavior, spyware activities, and unauthorized access to sensitive resources. They reveal which applications requested camera/microphone access, screen recording capabilities, and file system permissions, helping identify suspicious privilege escalation and data collection attempts.