Overview
The TCC (Transparency, Consent, and Control) database is macOS's permission management system, tracking which applications have been granted or denied access to sensitive resources such as the camera, microphone, location services, contacts, photos, Full Disk Access, screen recording, and accessibility features. TCC databases exist at both the system and user level.
For forensic investigators, TCC records provide direct evidence of which applications accessed (or attempted to access) sensitive system resources, when permissions were granted, and whether the user explicitly approved access or it was set via MDM policy.
Forensic Significance
| Evidence Type | Forensic Value |
|---|
| Permission grants | Which apps can access camera, microphone, screen recording, etc. |
| Grant timestamps | When access was approved (timeline correlation) |
| Denied entries | Apps that were blocked from sensitive resources |
| MDM-managed grants | Permissions pushed by enterprise management (no user interaction) |
| Full Disk Access | Apps with unrestricted filesystem access (key for data exfiltration) |
| Accessibility access | Apps that can control the UI (keyloggers, RATs) |
| Screen recording | Apps that can capture screen content |
File Locations
| Database | Path | Scope |
|---|
| System TCC | /Library/Application Support/com.apple.TCC/TCC.db | System-wide grants (requires root) |
| User TCC | ~/Library/Application Support/com.apple.TCC/TCC.db | Per-user grants |
Both are SQLite databases. The WAL and SHM files should be collected alongside the main database.
Database Schema
access table
The primary table storing all permission records.
| Column | Type | Description |
|---|
service | TEXT | The resource being protected (e.g., kTCCServiceCamera) |
client | TEXT | Bundle ID or path of the requesting application |
client_type | INTEGER | 0 = bundle ID, 1 = absolute path |
auth_value | INTEGER | 0 = denied, 1 = unknown, 2 = allowed, 3 = limited |
auth_reason | INTEGER | How the permission was set (see below) |
auth_version | INTEGER | Version of the auth decision |
csreq | BLOB | Code signing requirement (DER-encoded) |
policy_id | TEXT | MDM policy identifier (if managed) |
indirect_object_identifier_type | INTEGER | Type of indirect object |
indirect_object_identifier | TEXT | Identifier of indirect object (e.g., screen recording target) |
last_modified | INTEGER | Unix timestamp of last modification |
Common Service Identifiers
| Service | Description | Risk Level |
|---|
kTCCServiceCamera | Camera access | High |
kTCCServiceMicrophone | Microphone access | High |
kTCCServiceScreenCapture | Screen recording | High |
kTCCServiceAccessibility | Accessibility (UI control) | Critical |
kTCCServiceSystemPolicyAllFiles | Full Disk Access | Critical |
kTCCServiceSystemPolicySysAdminFiles | Administer system files | Critical |
kTCCServiceAddressBook | Contacts access | Medium |
kTCCServiceCalendar | Calendar access | Medium |
kTCCServiceReminders | Reminders access | Medium |
kTCCServicePhotos | Photos library access | Medium |
kTCCServiceMediaLibrary | Apple Music / media | Low |
kTCCServiceAppleEvents | Apple Events / automation | High |
kTCCServicePostEvent | Input monitoring | High |
kTCCServiceListenEvent | Input monitoring (listen) | High |
kTCCServiceSystemPolicyDesktopFolder | Desktop folder access | Medium |
kTCCServiceSystemPolicyDocumentsFolder | Documents folder access | Medium |
kTCCServiceSystemPolicyDownloadsFolder | Downloads folder access | Medium |
auth_reason Values
| Value | Meaning |
|---|
| 1 | User consent (user clicked Allow) |
| 2 | User set in System Preferences |
| 3 | System set (Apple internal) |
| 4 | Service policy (MDM) |
| 5 | MDM policy |
| 6 | Override policy |
Key Fields for Analysis
Essential Query
SELECT
service,
client,
client_type,
auth_value,
auth_reason,
datetime(last_modified, 'unixepoch') AS modified_date
FROM access
ORDER BY last_modified DESC;
High-Risk Permissions
SELECT
service,
client,
CASE auth_value
WHEN 0 THEN 'Denied'
WHEN 2 THEN 'Allowed'
WHEN 3 THEN 'Limited'
ELSE 'Unknown'
END AS status,
datetime(last_modified, 'unixepoch') AS modified_date
FROM access
WHERE service IN (
'kTCCServiceSystemPolicyAllFiles',
'kTCCServiceAccessibility',
'kTCCServiceScreenCapture',
'kTCCServicePostEvent',
'kTCCServiceListenEvent'
)
AND auth_value = 2
ORDER BY service, last_modified DESC;
Timestamps
TCC uses standard Unix timestamps (seconds since 1970-01-01 00:00:00 UTC) in the last_modified column.
SELECT datetime(last_modified, 'unixepoch') AS modified_date FROM access;
Analysis Notes
- Malware indicators: Malware often requires Accessibility access (for keylogging or UI manipulation) or Full Disk Access (for data exfiltration). Look for unfamiliar bundle IDs with these permissions.
- Persistence correlation: Cross-reference TCC entries with Launch Agents/Daemons — a persistent agent with Accessibility or FDA access is a high-priority investigation target.
- MDM vs. user grants:
auth_reason values of 4 or 5 indicate MDM-managed permissions that the user did not explicitly approve. This is normal in enterprise environments but suspicious on unmanaged systems. - Denied entries: Applications that were denied access may indicate failed exploitation attempts or tools that were blocked by the user.
- SIP protection: The system-level TCC.db is protected by SIP. On a live system, even root cannot modify it without disabling SIP. A modified system TCC.db on a SIP-enabled system is a strong indicator of compromise.
- Reset detection: If TCC records are unexpectedly absent for common applications, the database may have been reset (via
tccutil reset).
Version Differences
| macOS Version | Changes |
|---|
| 10.14 (Mojave) | TCC expanded significantly; camera, microphone, FDA added |
| 10.15 (Catalina) | Screen recording, input monitoring, Desktop/Documents/Downloads folder access added |
| 11 (Big Sur) | Additional service types; expanded MDM management |
| 12 (Monterey) | Bluetooth TCC added |
| 13 (Ventura) | Minor schema additions |
| 14 (Sonoma) | auth_version column added for versioned decisions |
| Tool | Support |
|---|
| macfor | Not yet implemented (planned) |
| sqlite3 | Manual database inspection |
| tccutil (macOS built-in) | Reset TCC permissions (no read capability) |
| AXIOM (Magnet) | Commercial TCC analysis |
| mac_apt | Open-source TCC parser |
References