macOS logs and the TCC (Transparency, Consent, and Control) database hold critical evidence about system activity, security events, permission grants, and application behavior. These artifacts provide deep insight into how the system was used, what apps accessed sensitive resources, and whether malicious processes attempted to bypass security controls.

This chapter explains how macOS logs work, where they are stored, how to extract evidence, and how the TCC database reveals permission-based activity across the system.

macOS Log Analysis

macOS uses a unified logging system that records system-wide and app-level events. Logs provide detailed evidence of execution, errors, crashes, authentication attempts, network activity, security warnings, and system behavior.

Unified Log System Overview

Since macOS Sierra, Apple uses a binary log format stored in:

/var/db/diagnostics/
private/var/db/diagnostics/

Readable using the log command.

Key Log Types

System Logs

Contain high-level system messages:

/var/log/system.log

Evidence includes:

System events
Errors and crashes
Daemon activity
Unexpected restarts
Kernel warnings

Install Logs

Track app installations, updates, and Gatekeeper checks:

/var/log/install.log

Useful for:

Detecting unknown app installations
Verifying timestamps of suspicious software
Gatekeeper validations
Code signing failures

Wi-Fi Logs

Stored under:

/private/var/log/wifi.log

Reveals:

Connected networks
Connection times
Security types
MAC addresses

SSH & Authentication Logs

On macOS, authentication logs integrate into unified logs.

Extract using:

log show --predicate 'subsystem == "com.apple.authd"' --info

Shows:

Login attempts
SSH authentication
Privilege escalations
Failed password attempts

Crash Logs

Located in:

~/Library/Logs/DiagnosticReports/

Used to identify:

Malware crashes
Script failures
Abnormal binary execution
Unexpected app behavior

Crash logs often contain file paths and execution traces.

Application Logs

Apps store logs in:

~/Library/Logs/
~/Library/Containers/<app>/Data/Library/Logs/

Artifacts include:

Chat app logs
Browser event history
VPN events
Cloud sync logs

App logs reveal user interactions and possible malicious activity.

Retrieving macOS Logs

Show logs within a time range:

log show --start "2025-01-01" --end "2025-01-02"

Filter logs by process:

log show --predicate 'process == "Safari"' --info

Filter logs for errors:

log show --predicate 'eventType == error' --style syslog

Export logs:

log collect --output unifiedlogs.logarchive

These filters allow investigators to focus on specific events.

High-Value Log Artifacts for Forensics

App installations or removals
Suspicious binary executions
Gatekeeper and quarantine events
Login/logout timestamps
Privilege escalation indicators
Crash logs pointing to malware
Network connection logs
File access and sandbox violations
Kernel extension loading
USB/device events

Logs help reconstruct timelines and detect tampering or unusual behavior.

TCC Database (Transparency, Consent, and Control)

The TCC database is one of the most important forensic artifacts on macOS.
It records which applications requested and received permission to access protected resources.

What TCC Tracks

The TCC database controls permissions for:

Camera
Microphone
Photos
Calendar
Contacts
Screen recording
Accessibility
Full Disk Access
Bluetooth
Location

Every permission request is logged along with timestamps.

TCC Database Location

System-level TCC:

/Library/Application Support/com.apple.TCC/TCC.db

User-level TCC:

~/Library/Application Support/com.apple.TCC/TCC.db

SQLite databases containing detailed permission records.

Important Tables in TCC.db

access table

Most valuable table for investigation.

Key fields:

service – resource being accessed
client – app bundle identifier
auth_value – allowed, denied, restricted
auth_reason – reason for decision
last_modified – timestamp of grant
indirect_object_identifier – related process

Forensic Value of the TCC Database

Detecting malicious apps requesting sensitive access

Example:
Unknown app requesting screen recording or microphone access.

Identifying unauthorized full disk access

Full Disk Access permission provides access to all user data.

Mapping user-approved permissions

Shows if the user granted or denied access.

Tracking stealth monitoring activity

Screen recording or keyboard monitoring requires TCC entries.

Investigating spyware or RAT behavior

Tools like:

Cobalt Strike
EvilOSX
macOS RATs
Info-stealers

often try to bypass or abuse TCC.

Extracting Evidence from TCC

Query service access:

sqlite3 TCC.db "SELECT service, client, auth_value, last_modified FROM access;"

Find apps with Full Disk Access:

sqlite3 TCC.db "SELECT * FROM access WHERE service='kTCCServiceSystemPolicyAllFiles';"

Find apps with Screen Recording permission:

sqlite3 TCC.db "SELECT * FROM access WHERE service='kTCCServiceScreenCapture';"

Check recent permission changes:

sqlite3 TCC.db "SELECT * FROM access ORDER BY last_modified DESC LIMIT 20;"

Intel Dump

Unified logs store detailed system, app, and security events in binary format and must be parsed with the log command.
System logs, crash logs, Wi-Fi logs, and authentication logs help reconstruct system activity and detect anomalies.
Install logs reveal app installations, code-signing checks, and potential malware deployments.
Application logs inside user directories store program-specific interactions and metadata.
macOS TCC database records which apps are granted permissions for resources like camera, microphone, screen recording, and Full Disk Access.
TCC entries include timestamps, permission results, and originating applications, making them crucial for identifying spyware, RATs, or unauthorized monitoring tools.
Combining logs and TCC data provides a high-resolution timeline of suspicious activity, privilege requests, and system behavior.

Log Analysis & TCC Database