TCC.db (Transparency, Consent, and Control)

Location

Description

SQLite database controlling macOS privacy permissions including Full Disk Access, Screen Recording, Accessibility, Camera, Microphone, and Automation access. Each record contains the requesting application bundle ID, the service being accessed, the authorization decision, and a timestamp of when access was granted or denied.

Forensic Value

TCC.db reveals which applications were granted sensitive permissions and when, directly supporting detection of surveillance tools and spyware that require Screen Recording, Accessibility, or Input Monitoring access. Unauthorized Full Disk Access grants indicate an attacker or malware bypassed macOS security to access protected user data. Comparing TCC grants against expected application permissions identifies anomalous access. Forensic tools themselves often require FDA grants, so the presence of forensic tool entries may indicate prior investigations on the system.

Tools Required

Collection Commands

sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" "SELECT service, client, auth_value, auth_reason, last_modified FROM access ORDER BY last_modified DESC"

sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "SELECT * FROM access WHERE auth_value = 2"

sudo cp "/Library/Application Support/com.apple.TCC/TCC.db" /forensics/tcc_system.db && cp ~/Library/Application\ Support/com.apple.TCC/TCC.db /forensics/tcc_user.db

python mac_apt.py -i /path/to/image -o /forensics/output TCC

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

MITRE ATT&CK Techniques

References