- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Independent forensic investigation of remote access to a Mac — Apple Screen Sharing, Apple Remote Desktop, SSH, VNC, and third-party tools (TeamViewer, AnyDesk, LogMeIn, GoToMyPC). We identify each session, source IP, authenticated user, and duration.
Quick Answer. Mac Remote Access Forensics reconstructs incoming and outgoing remote sessions by combining Unified Log entries in com.apple.screensharing, com.apple.sshd, and com.apple.RemoteDesktop, service enablement plists (/Library/Preferences/com.apple.RemoteManagement.plist, com.apple.screensharing.plist, com.apple.RemoteLogin.plist), third-party tool application databases and logs, and — for outbound sessions — ~/.ssh/known_hosts and LSSharedFileList.RecentHosts.sfl2.
| Artifact | Path / source | Contents |
|---|---|---|
| com.apple.screensharing Unified Log | log show subsystem | Client IP, session start/end, authenticated user |
| com.apple.RemoteDesktop Unified Log | log show subsystem | ARD-specific events, task push, screen observe |
| ARD kickstart preferences | /Library/Preferences/com.apple.RemoteManagement.plist | Whether ARD is enabled, allowed users, privileges |
| Screen Sharing preferences | /Library/Preferences/com.apple.screensharing.plist | Whether Screen Sharing is enabled |
| ARD reports | /var/db/RemoteManagement/ | Task reports pushed to and from the Mac |
| SecurityAgent auth | securityagent subsystem | Prompts that appeared for the remote user |
com.apple.sshd Unified Log — every attempted and successful SSH connection with source IP, user, method (publickey / password), and disconnect reason./etc/ssh/sshd_config — was Password auth allowed? RootLogin permitted? PubkeyAcceptedKeyTypes?/private/var/db/com.apple.xpc.launchd/disabled.plist — indicates whether com.openssh.sshd is enabled.~/.ssh/authorized_keys — public keys authorized to log in. Compare comments and mtime to authorized use.~/.ssh/known_hosts and ~/.ssh/config — outbound SSH targets the user has connected to.We inventory known remote-access tools by bundle ID and inspect their per-app databases:
~/Library/Application Support/TeamViewer/Logs/, Connections.txt, Connections_incoming.txt~/Library/Application Support/AnyDesk/ ad_svc.trace, connection_trace.txt/Library/Application Support/LogMeIn/ log directory~/Library/Logs/chrome_remote_desktop/Presence of these tools where the account holder does not remember installing them — especially when correlated with an unexplained TCC screen-recording grant — is a strong indicator of unauthorized third-party remote support tooling.
Once a remote session window is established, we correlate it to KnowledgeC.db /app/inFocus (which apps were used during the remote session), /display/isBacklit (whether the local user could have seen the screen), and any file activity on the source volume during that same window. This produces a complete narrative: “at HH:MM:SS an SSH session from <IP> authenticated as user <X>, Terminal became frontmost within Y seconds, and files <A, B, C> were subsequently accessed.”
Elite Digital Forensics is an independent, defense-aligned Mac forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Mac Forensics hub for the full analytical framework we bring to every matter.
Yes for SSH, Screen Sharing, and ARD — the Unified Log preserves the client IP. Third-party tools vary; TeamViewer and AnyDesk record peer IDs and, depending on version, the IP as well.
The service being enabled is not by itself evidence of use. We report the enablement date, allowed users, and the absence of successful connection events in the retention window.
Back to My Mac was retired in 2018. Handoff and Continuity operate between devices on the same iCloud account within Bluetooth range and are not remote access in the network sense.
Tell us about the Mac, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant