Digital Forensic Artifact of Anydesk Application

Anydesk is simple remote host Application that usually used by organization for operational remote work. it is a German proprietary distributed by AnyDesk Software GmbH. It offers remote control, file transfer, and VPN functionality. It comes up with installed and portable version of application.

We found that all remote application are possible to be misuse if not configure properly and not getting good policy. it can be used for : Fraud, Hacking, Compromising System, Malware Distribution, Data Exfiltration, Etc.

And when there are incident happened that related to AnyDesk misused, we need to know where should we found the evidence.

Before we talk about evidence lets see how Anydesk make connection between source and remote host.

connection concept of anydesk

In this case we try to connect from laptop A to Laptop B using anydesk, and see what can we get from the evidence.

Log of Anydesk

There is 4 log on Anydesk :

1. Connection log

2. Ad trace log

3. Ad_svc trace log (only at installed version)

4. Chat log

As explained before anydesk comes up with 2 version, it is installed version and portable version, this 2 version have different path on storing configuration and log.

Path log installed version :

C:\ProgramData\Anydesk

installed version AnyDesk folder

Path log portable version :

C:\Users\[user profile]\AppData\Roaming\AnyDesk

portable version AnyDesk folder

- Connection_trace Log

The first one we need to check is connection_trace.txt file. in this file we can see history of incoming connection to our AnyDesk, but the information is limited to Date/Time, status, alias and ID of AnyDesk.

connection_trace.txt AnyDesk

- ad.trace Log

In ad.trace log we can check history of connection event, error event and system notification that happened in our AnyDesk. this log can be opened by Notepad or any text editor application.

example of AnyDesk ad.trace Log

We can search connection event at ad.trace log for incoming and outgoing connection as information below, but the information is limited to AnyDesk ID and user (desktop).

AnyDesk ad.trace log connection event

- ad_svc.trace Log

ad_svc.trace is like ad.trace, it contain connection event, error event, and also system notification. but for the connection event it store more informative log such as, IP addresses of incoming or outgoing connection, AnyDesk ID, Relay server that we connect to, and etc. But remember, this log is active if we install the AnyDesk, if its portable version, it just come with ad.trace only.

We can search connection event at ad.trace log for incoming and outgoing connection as information below.

Incoming Connection event from ad_svc.trace

Outgoing Connection event from ad_svc.trace

- Chat Log

Chat log of AnyDesk is stored at AnyDesk Portable Path in folder chat.

example chat log

The file log will be named as ID that connected to the desktop and have txt format. in this log we can see all conversation history from the active session before.

Chat Log Example

- Other Evidence

Sometimes log from anydesk is altered by threat actor, if this happened we can restore it with restoration tools such us EaseUs, R-recovery and etc. But when we cannot restore it the only way we can do is looking after another evidence.

We can see IP addresses of incoming connection to the anydesk from Network Packet Capture. Why should packet capture? we can see at the traffic log from Firewall or IPS maybe, but the information that we get about the IP source of incoming connection is only IP of AnyDesk Relay Server. The original IP of incoming connection is not captured by firewall.

With packet capture we could see the original ip of incoming connection from the AnyDesk.

By default AnyDesk is used port 80, 442 or 6568, but when it accept connection request it will listening to port 7070. So we can filter it at packet capture application such as wireshark or moloch all connection that using port 7070.

example of AnyDesk incoming connection from wireshark PCAP

The other additional evidence that we can check is at OS Level evidence. We can check program execution artifact to see how much AnyDesk being execute and when it being execute by user. the execution artifact can be get from analysis Userassist and Prefetch. and you can check installed program artifact from OS. If you didn’t familiar with these, you can check this video to learn about Windows forensics.

https://www.youtube.com/watch?v=f4RAtR_3zcs

Any Desk Issue

We found that there is some issue at AnyDesk from forensic point of view.

1. Log can be erase or modify easily

It can be erased by simply delete process with just delete the file and it can also modify easily with notepad. with these issue threat actor can hide his track easily to perform anti-forensics.

so we need to make sure that these log stored safely or we can backup up the log to the safety place that threat actor cannot reach it.

2. UID of anydesk can be change easily.

you can change your ID often easily with reinstall the application, but the uninstall process should be delete all the residual item from your PC. After all file deleted, you can download AnyDesk again and got new ID.

With this issue the information that we get before about ID anydesk from log is useless, the only way we can track the perpetrator is from IP address that connect to AnyDesk.

Lesson Learn

From this case, we can learn what is the risk of Remote Desktop Application if not configure properly but not limited to AnyDesk.

So the first thing we can do is make sure all log is secured before we connect to environment that used AnyDesk. and the second one AnyDesk have Security feature such as 2FA, ACL, and User Permission. Make sure we enable all the function as we need, before use AnyDesk. Many user are often ignore important security policy that need to check before using remote desktop application, moreover this application is free for use.

Keep Secure Everyone :))