How to check which process took a desktop screenshot on macOS?
I heard a shutter sound when pressing the ▼ (down arrow) key on (lock screen) login page. I heard it again 10min after login, when using the same key again. And then heard it no more, even when using the same key.
I found 2 full screenshots on my desktop, both identifying the time and the respective screen I heard the sound. First of the login page, 2nd of my desktop (icons opened apps, etc).
How can I find which app / process took the screenshots?
obs: I'm running macOS Sierra and I'm using a bluetooth Logitech keyboard.
My Chrome has the Adblock Plus and Privacy Badger extensions enabled only; I'm running Sophos AV.
Solution 1:
Using the log utility in Terminal you should be able to identify what exactly happened.
If you don't know the exact second that this happened go into Language and Region System Prefences settings and click the "Advanced Settings" button then go to "Times" tab and drag the blue box next to "Second:" in the "Time Elements" section up into the first line labeled "Short" so you can see seconds now along with dates in Finder's Date Created column.
In the Terminal app enter the following, substituting the correct time in 24h format and correct date (YYYY-MM-DD) for a couple seconds prior to the timestamp of the file and however many seconds after:
sudo log show --start "2018-10-23 23:45:17" --end "2018-10-23 23:45:47" --info --debug --signpost | grep -i screencapture
This will likely detail what prompted the screencapture process to take a screenshot. If it's all labeled < private > you will have do another additional step to get this info but it's very simple.
Very appropriate joke(?) about the NSA too. It actually really demonstrates the notion that malware or any sort of compromise is so far fetched that only someone like the NSA would understand it. The reality is that it's extremely unlikely that your computer hasn't been compromised. Considering most users think they have a magical stealth firewall and are protected by top secret Apple security features only makes the problem worse. Apple is at the end of the day just another for-profit company and admitting they've been perpetuating this lie for a long time past its expiration date would be very bad for its bottom line and stock price.
Considering you have an AV product installed and are suspicous enough to ask this question it's very likely there's some sort of keylogger/remote access/spyware installed. Confirming this is possible but typically made more difficult thanks to Apple's own security features being altered to actually protect and hide the malware ensuring persistence.
To date there are 6,275 enteries for Apple products in the National Vunerability Database. Many are critical flaws that are only patched by Apple after being documented and reported via this official process which also to some extent broadcasts the flaw to the world. Even more concerning is that Apple only addresses vunerabilites that are properly flagged via this official process and only for the version of macOS, iOS, etc. that is required. So new and old version often can be vunerable to an issue that was at one time addressed. It is, after all, easier to say you've built a magical computer than to actually make one.
Thanks to dedicated malware developers most people would never notice these little additions. Maybe you can learn to live with it..maybe imagine its a little fairy who watches over you and remembers all your passwords or checks to see you're getting to bed on time. Best of luck..