ScreenSharing

Overview

Evidence: Screensharing Description: Filter screen sharing events Category: System Platform: macos Short Name: sch Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

macOS screen sharing functionality is managed by screensharingd (daemon) and ScreensharingAgent processes. These handle VNC-based remote desktop sessions, allowing users to view and control the Mac remotely. Logs capture connection attempts, session establishments, and screen sharing activities.

Data Collected

This collector gathers structured data about screensharing.

Collection Method

This collector uses the macOS 'log' command with predicate-based filtering to extract screen sharing daemon and agent events over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType='Screensharing'.

Forensic Value

Screen sharing logs are valuable for investigating unauthorized remote access, surveillance activities, data theft, and remote control of systems. They reveal when screen sharing was enabled, connection sources, and session durations, which are critical for detecting unauthorized monitoring or remote attacks.