Privacy Permissions Database (TCC.db)

iosAuthentication & AccessDevice Extraction

Location

private/var/mobile/Library/TCC/TCC.db

Description

SQLite database implementing the Transparency, Consent, and Control framework that records privacy permission grants for each application. Tracks which apps have been authorized to access sensitive resources including Contacts, Photos, Camera, Microphone, Location Services, Calendars, Reminders, Bluetooth, Health data, and Motion & Fitness. Each record contains the app bundle ID, the service type, the authorization status, and a modification timestamp.

Forensic Value

TCC.db reveals which applications were granted access to sensitive device capabilities, directly identifying potential stalkerware or surveillance applications that obtained camera, microphone, or location permissions. Comparing granted permissions against expected application functionality identifies over-privileged apps that may be operating maliciously. The modification timestamp on permission records establishes when access was granted, which can correlate with social engineering or physical access events. Applications granted accessibility or full device access permissions warrant particular scrutiny as these enable extensive device monitoring capabilities.

Tools Required

iLEAPPCellebrite UFEDMagnet AXIOMDB Browser for SQLite

Acquisition Methods

checkm8 Physical Extraction (A5–A11)

ios — physical

iTunes/Finder Backup Acquisition

ios — logical

AFC (Apple File Conduit) Extraction

ios — logical

checkm8 Filesystem Extraction

ios — logical

iCloud Backup Acquisition

ios — cloud