Digital Forensic Artifact of TeamViewer Application

TeamViewer Logo

TeamViewer is a proprietary software application for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.

Basically TeamViewer ID and random password will be generated if someone online and try to connect with TeamViewer Server. so if we want to connect with another computer, we only need ID and password of target.

Example of TeamViewer connection

TeamViewer is easy to use and user friendly, you can download it free or licensed with advanced ability. With existing convenience is inversely proportional to security.

We can connect with another computer with just team viewer ID and password (random password or unattended with fix password). Imagine if attacker have our TeamViewer ID and Password, they use it to abuse to another TeamViewer. What and where we can start the investigation?

I have this information from Benleeyr on TeamViewer Forensic blog, this is my summary i got from the blog

Information Logs and path TeamViewer on Devices

Connection_incoming.txt

This connection_incoming.txt consist of record successful incoming connection from path under C:\Program Files or Program Files x86\TeamViewer.

TeamViewer provide 2 connection mode:

• Remote Control : remote desktop
• File Transfer : only transfer file

Connection mode on TeamViewer

Log Connection_incoming.txt

So this machine Wind10TV have incoming connection from ID 1718598xxx with username / host M-Benz. If you see details, there is 2 username / host connection from ID 1718598xxx, this is because the 1st one, I use random password that given on screen (not login), and the 2nd one with username (account)I logged in as Personal in TeamViewer so the record saved as a username not hostname of the machine that connected to this host.

TeamViewer<version>_Logfile.log

Because I use TeamViewer 15 this log named TeamViewer15.log under path C:\Program Files or Program Files x86\TeamViewer. Actually this logs contain so much information, such as :

• Device Information (Operating system, IP address of host device, CPU, Proxy settings, Timezone I use UTC +7:00)
• ID of device TeamViewer
• TeamViewer Server
• Application path
• Incoming connection
• Failed incoming connection
• Outgoing connection

Device information on TeamViewer15.log

For some cases we cannot see ID of TeamViewer host, it’s because the ID is at initialize phase and we can find it with keyword“MachineID”

Device information on TeamViewer15.log without ID

TeamViewer ID Host on MachineID

So this machine have TeamViewer ID 811343xxx

We can check incoming connection on this logs with keyword:

• AuthenticationPasswordLogin_Passive that “successful”

Incoming connection from TeamViewer15.log

Now we try to reveal failed connection attempt to this device with type:

• AuthenticationPasswordLogin_Passive that “denied”

failed connection attempt from ID 1718598xxx

Activity to detect try to connect to another machine with keyword :

• Trying connection to

try to connect to

Log Connections.txt

This Log Connections.txt is under C:\Users\<user>\AppData\Roaming\TeamViewer, consist of outgoing connection to another TeamViewer ID

Log .tvc

Log .tvc is under C:\Users\<user>\AppData\Roaming\TeamViewer\MRU\RemoteSupport is outgoing TeamViewer ID that ever happened. I will show what it means

log. tvc

The details are on log connections.txt under path C:\Users\<user>\AppData\Roaming\TeamViewer

log connections.txt details explaining logs .tvc

Uninstalled TeamViewer

How about if someone uninstalled TeamViewer? What artifact we can find to detect if someone ever install TeamViewer? And what artifact left behind?

TeamViewer Uninstalled

Checking from Windows execution

Simcache is also known as AppCompatCache, is a component of the Application Compatibility Database which was created by Microsoft and used by the Windows operating system to identify application compatibility issues. This information can track any application that executed on system. The SimCache is in System Registry at C:/Windows/System32/Config/System located at SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache and we can open it with Registy Explorer from Eric Zimmerman tools

System Registry

Execution TeamViewer from SimCache

Prefetch is a program that increases performance of a system by pre-loading code pages of commonly used applications. Cache Manager monitors all files and directories referenced for each application or process and maps them into a .pf file. Utilized to know an application was executed on a system. path of prefetch is under C:/windows/prefetch, and to open it we can use Prefetch Parser from Eric Zimmerman Tools

Prefetch TeamViewer

Prefetch Parser EricZimmerman for TeamViewer.exe-B57FDE50.pf

Artifact Left from Uninstalled TeamViewer

Some of artifact will not be deleted from uninstall activity, those artifacts are:

• connections_incoming.txt under C:\\Program Files\TeamViewer

Connections_incoming.txt artifact left

• Connections.txt and TeamViewer15_Logfile.log under C:\\Users\<user>\AppData\Roaming\TeamViewer\

onnections.txt and TeamViewer15_Logfile.log artifact left

• .tvc under C:\\Users\<user>\AppData\Roaming\TeamViewer\MRU\RemoteSupport

tvc artifact left

Conclusion

1. We know what and where to find TeamViewer information

• Who (TeamViewer ID) is login with TeamViewer
• When someone login using TeamViewer
• Who I try to connect using TeamViewer ID

2. Not all of TeamViewer artifact deleted after uninstall activity

3. We could find on execution activity using Registry to check if TeamViewer ever running in the system

4. It is worth to lookup on TeamViewer information log to analyze or forensic activity

Reference

• https://benleeyr.wordpress.com/2020/05/19/teamviewer-forensics-tested-on-v15/
• https://ericzimmerman.github.io/#!index.md
• https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download