- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Independent forensic investigation of suspected unauthorized access to a Mac — covert monitoring software, persistence mechanisms, remote-access implants, and unexplained changes to system state.
Quick Answer. Mac Unauthorized Access Forensics answers “did someone else use, monitor, or compromise this Mac” by systematically reviewing every persistence surface (LaunchAgents, LaunchDaemons, login items, cron, at, periodic, kext, SystemExtensions), every privacy grant (TCC.db), every code-signing decision (syspolicy, XProtect, MRT), and every remote-access footprint — cross-referenced with a Mac forensic timeline.
| Mechanism | Location | Evidence recorded |
|---|---|---|
| LaunchAgents (user) | ~/Library/LaunchAgents/*.plist | Per-user auto-start; runs on login |
| LaunchAgents (system) | /Library/LaunchAgents/*.plist | All-user auto-start |
| LaunchAgents (Apple) | /System/Library/LaunchAgents/*.plist | System-provided; changes here are highly suspect |
| LaunchDaemons (system) | /Library/LaunchDaemons/*.plist | Runs as root at boot |
| LaunchDaemons (Apple) | /System/Library/LaunchDaemons/*.plist | System-provided |
| Login Items | ~/Library/Application Support/com.apple.backgroundtaskmanagement/BackgroundItems.btm | GUI login items and modern background tasks |
| cron | /private/var/at/tabs/ | Per-user cron entries |
| at / periodic | /private/var/at/, /etc/periodic/ | One-shot and periodic scripts |
| LoginHook / LogoutHook | com.apple.loginwindow.plist | Legacy but still respected |
| SystemExtensions | /Library/SystemExtensions/db.plist | Endpoint Security / network / DriverKit extensions |
| Kernel extensions | /Library/Extensions/, kmutil showloaded | Legacy kexts (require reboot to load) |
| Configuration Profiles | /Library/Managed Preferences/, profiles list | MDM-pushed policy — covert monitoring vector |
| Sudoers | /etc/sudoers, /etc/sudoers.d/ | Elevated command surface |
Nearly every credible covert-monitoring tool on modern macOS requires the target user to grant Screen Recording, Accessibility, Input Monitoring, or Full Disk Access in System Settings. Each grant is recorded in ~/Library/Application Support/com.apple.TCC/TCC.db (per-user) or /Library/Application Support/com.apple.TCC/TCC.db (system) with:
client — bundle ID of the granted appservice — kTCCServiceScreenCapture, kTCCServiceAccessibility, kTCCServiceListenEvent, etc.allowed and prompt_countlast_modified — when the grant was madeAn unexplained Screen Recording or Accessibility grant to an app the user does not recognize — especially one installed from outside the App Store — is a decisive indicator. We review every non-Apple TCC row in every matter of suspected covert monitoring.
Without naming specific commercial tools on this public page, we systematically check for the persistence-file names, bundle IDs, launch-agent labels, and network endpoints publicly documented by security researchers and by Apple’s own XProtect and MRT (Malware Removal Tool) signature updates. Where present, we preserve the binaries and their configuration for chain-of-custody handoff to counsel or law enforcement.
Attackers increasingly avoid custom binaries. In every intrusion matter we review execution of:
osascript — AppleScript invocations, often loaded with base64-encoded payloadscurl, python3, ruby — download-and-execute patternslaunchctl load — LaunchAgent registration events in com.apple.launchdsqlite3 — reads of TCC.db or Safari History.db by non-Apple processesxattr -c or xattr -d com.apple.quarantine — evasion of Gatekeeperplutil / defaults write — silent modification of preferences and LaunchAgentsMany matters end defense-favorably: no unauthorized LaunchAgents outside Apple defaults, no non-Apple TCC grants of significance, no unknown SystemExtensions, no unexplained network connections in the Unified Log, no XProtect / MRT signatures triggered, and shell / KnowledgeC.db activity fully consistent with the account holder. In those cases the report enumerates the surfaces reviewed, the negatives found, and the confidence bound on the conclusion. See the Mac Forensics hub for the full framework.
Elite Digital Forensics is an independent, defense-aligned Mac forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Mac Forensics hub for the full analytical framework we bring to every matter.
Rarely in absolute terms, but we can express high-confidence findings when every persistence surface, TCC row, XProtect signature, and network artifact within the retention window is negative. Reports state confidence explicitly.
Deletion itself leaves records: LaunchAgent files were present in APFS snapshots, TCC grants persist even after the app is removed, Unified Log records the launchctl unload and the rm, and shell history captures the commands.
They exist but are less prevalent than on Windows. Most credible tools require Screen Recording and Accessibility grants, which the target user (or someone at the keyboard with admin rights) had to approve — a fact that itself is investigatively important.
Tell us about the Mac, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant