Session Creation and Destruction

Overview

Evidence: Session Creation and Destruction Description: Filter sessions creation and destruction events Category: System Platform: macos Short Name: scd Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The securityd daemon manages security sessions on macOS including user sessions, authorization sessions, and security contexts. It tracks session lifecycle events from creation through destruction, managing authentication and authorization tokens throughout the session.

Data Collected

This collector gathers structured data about session creation and destruction.

Collection Method

This collector uses the macOS 'log' command with predicate-based filtering to extract securityd session events over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType='Session Creation and Destruction'.

Forensic Value

Session events are critical for understanding user activity timelines, session hijacking attempts, authentication token abuse, and concurrent session patterns. They help establish when users were active on the system, detect anomalous session behaviors, and investigate unauthorized access through session manipulation.