TCC.db (Transparency, Consent, and Control)

macosSystem ConfigurationDisk Image

Location

/Library/Application Support/com.apple.TCC/TCC.db (system-wide) and ~/Library/Application Support/com.apple.TCC/TCC.db (per-user)

Description

SQLite database controlling macOS privacy permissions including Full Disk Access, Screen Recording, Accessibility, Camera, Microphone, and Automation access. Each record contains the requesting application bundle ID, the service being accessed, the authorization decision, and a timestamp of when access was granted or denied.

Forensic Value

TCC.db reveals which applications were granted sensitive permissions and when, directly supporting detection of surveillance tools and spyware that require Screen Recording, Accessibility, or Input Monitoring access. Unauthorized Full Disk Access grants indicate an attacker or malware bypassed macOS security to access protected user data. Comparing TCC grants against expected application permissions identifies anomalous access. Forensic tools themselves often require FDA grants, so the presence of forensic tool entries may indicate prior investigations on the system.

Tools Required

DB Browser for SQLitemac_apttccutilCrowdstrike UACAutopsy

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical