TCCD

Overview

Evidence: Tccd Description: Filter tccd events Category: System Platform: macos Short Name: tccd Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The Transparency, Consent, and Control Daemon (tccd) manages privacy permissions on macOS including camera, microphone, screen recording, accessibility, and file access permissions. It logs all permission requests, grants, and denials for applications.

Data Collected

This collector gathers structured data about tccd.

Collection Method

This collector uses the macOS 'log' command with predicate-based filtering to extract tccd process events over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType='Tccd'.

Forensic Value

TCC events are critical for investigating privacy violations, malware behavior, spyware activities, and unauthorized access to sensitive resources. They reveal which applications requested camera/microphone access, screen recording capabilities, and file system permissions, helping identify suspicious privilege escalation and data collection attempts.