macOS Remote Access · Screen Sharing · SSH

Mac Remote Access Forensics

Independent forensic investigation of remote access to a Mac — Apple Screen Sharing, Apple Remote Desktop, SSH, VNC, and third-party tools (TeamViewer, AnyDesk, LogMeIn, GoToMyPC). We identify each session, source IP, authenticated user, and duration.

← Canonical HubThis page is part of the Mac Forensics cluster. Return to the hub for the full artifact index and cross-cluster context.

Quick Answer. Mac Remote Access Forensics reconstructs incoming and outgoing remote sessions by combining Unified Log entries in com.apple.screensharing, com.apple.sshd, and com.apple.RemoteDesktop, service enablement plists (/Library/Preferences/com.apple.RemoteManagement.plist, com.apple.screensharing.plist, com.apple.RemoteLogin.plist), third-party tool application databases and logs, and — for outbound sessions — ~/.ssh/known_hosts and LSSharedFileList.RecentHosts.sfl2.

Apple Screen Sharing and Apple Remote Desktop

ArtifactPath / sourceContents
com.apple.screensharing Unified Loglog show subsystemClient IP, session start/end, authenticated user
com.apple.RemoteDesktop Unified Loglog show subsystemARD-specific events, task push, screen observe
ARD kickstart preferences/Library/Preferences/com.apple.RemoteManagement.plistWhether ARD is enabled, allowed users, privileges
Screen Sharing preferences/Library/Preferences/com.apple.screensharing.plistWhether Screen Sharing is enabled
ARD reports/var/db/RemoteManagement/Task reports pushed to and from the Mac
SecurityAgent authsecurityagent subsystemPrompts that appeared for the remote user

SSH — the most common remote pathway

  • com.apple.sshd Unified Log — every attempted and successful SSH connection with source IP, user, method (publickey / password), and disconnect reason.
  • /etc/ssh/sshd_config — was Password auth allowed? RootLogin permitted? PubkeyAcceptedKeyTypes?
  • /private/var/db/com.apple.xpc.launchd/disabled.plist — indicates whether com.openssh.sshd is enabled.
  • Per-user ~/.ssh/authorized_keys — public keys authorized to log in. Compare comments and mtime to authorized use.
  • Per-user ~/.ssh/known_hosts and ~/.ssh/config — outbound SSH targets the user has connected to.

VNC and third-party remote support tools

We inventory known remote-access tools by bundle ID and inspect their per-app databases:

  • TeamViewer~/Library/Application Support/TeamViewer/Logs/, Connections.txt, Connections_incoming.txt
  • AnyDesk~/Library/Application Support/AnyDesk/ ad_svc.trace, connection_trace.txt
  • LogMeIn/Library/Application Support/LogMeIn/ log directory
  • Chrome Remote Desktop — host log under ~/Library/Logs/chrome_remote_desktop/
  • Splashtop, Zoho Assist, ScreenConnect — each has a per-app connection log
  • RealVNC, TigerVNC — VNC listener processes visible in the com.apple.launchd Unified Log

Presence of these tools where the account holder does not remember installing them — especially when correlated with an unexplained TCC screen-recording grant — is a strong indicator of unauthorized third-party remote support tooling.

Correlating remote access to actions on the Mac

Once a remote session window is established, we correlate it to KnowledgeC.db /app/inFocus (which apps were used during the remote session), /display/isBacklit (whether the local user could have seen the screen), and any file activity on the source volume during that same window. This produces a complete narrative: “at HH:MM:SS an SSH session from <IP> authenticated as user <X>, Terminal became frontmost within Y seconds, and files <A, B, C> were subsequently accessed.”

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned Mac forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Mac Forensics hub for the full analytical framework we bring to every matter.

Related Mac forensics pages

Frequently asked questions

Can you identify the source IP of a remote session?

Yes for SSH, Screen Sharing, and ARD — the Unified Log preserves the client IP. Third-party tools vary; TeamViewer and AnyDesk record peer IDs and, depending on version, the IP as well.

What if remote access is enabled but never used?

The service being enabled is not by itself evidence of use. We report the enablement date, allowed users, and the absence of successful connection events in the retention window.

Can iCloud “Back to My Mac” or Handoff be used remotely?

Back to My Mac was retired in 2018. Handoff and Continuity operate between devices on the same iCloud account within Bluetooth range and are not remote access in the network sense.

Ready to move on your mac remote access matter?

Tell us about the Mac, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. Apple: Remote Login (SSH). support.apple.com
  2. Apple: Screen Sharing security. support.apple.com
  3. Apple: Apple Remote Desktop. support.apple.com

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#MacForensics #RemoteAccess #SSH #ARD #UnauthorizedAccess #DFIR #EliteDigitalForensics

Assistant Icon Elite Digital Forensics Assistant
👋 Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime. 

IMPORTANT: Please remember to check your spam or junk folder