Digital Forensic Artifact of TeamViewer Application
TeamViewer is a proprietary software application for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.
Basically TeamViewer ID and random password will be generated if someone online and try to connect with TeamViewer Server. so if we want to connect with another computer, we only need ID and password of target.
TeamViewer is easy to use and user friendly, you can download it free or licensed with advanced ability. With existing convenience is inversely proportional to security.
We can connect with another computer with just team viewer ID and password (random password or unattended with fix password). Imagine if attacker have our TeamViewer ID and Password, they use it to abuse to another TeamViewer. What and where we can start the investigation?
I have this information from Benleeyr on TeamViewer Forensic blog, this is my summary i got from the blog
Connection_incoming.txt
This connection_incoming.txt consist of record successful incoming connection from path under C:\Program Files or Program Files x86\TeamViewer.
TeamViewer provide 2 connection mode:
- Remote Control : remote desktop
- File Transfer : only transfer file
So this machine Wind10TV have incoming connection from ID 1718598xxx with username / host M-Benz. If you see details, there is 2 username / host connection from ID 1718598xxx, this is because the 1st one, I use random password that given on screen (not login), and the 2nd one with username (account)I logged in as Personal in TeamViewer so the record saved as a username not hostname of the machine that connected to this host.
TeamViewer<version>_Logfile.log
Because I use TeamViewer 15 this log named TeamViewer15.log under path C:\Program Files or Program Files x86\TeamViewer. Actually this logs contain so much information, such as :
- Device Information (Operating system, IP address of host device, CPU, Proxy settings, Timezone I use UTC +7:00)
- ID of device TeamViewer
- TeamViewer Server
- Application path
- Incoming connection
- Failed incoming connection
- Outgoing connection
For some cases we cannot see ID of TeamViewer host, it’s because the ID is at initialize phase and we can find it with keyword“MachineID”
So this machine have TeamViewer ID 811343xxx
We can check incoming connection on this logs with keyword:
- AuthenticationPasswordLogin_Passive that “successful”
Now we try to reveal failed connection attempt to this device with type:
- AuthenticationPasswordLogin_Passive that “denied”
Activity to detect try to connect to another machine with keyword :
- Trying connection to
Log Connections.txt
This Log Connections.txt is under C:\Users\<user>\AppData\Roaming\TeamViewer, consist of outgoing connection to another TeamViewer ID
Log .tvc
Log .tvc is under C:\Users\<user>\AppData\Roaming\TeamViewer\MRU\RemoteSupport is outgoing TeamViewer ID that ever happened. I will show what it means
The details are on log connections.txt under path C:\Users\<user>\AppData\Roaming\TeamViewer
Uninstalled TeamViewer
How about if someone uninstalled TeamViewer? What artifact we can find to detect if someone ever install TeamViewer? And what artifact left behind?
Checking from Windows execution
Simcache is also known as AppCompatCache, is a component of the Application Compatibility Database which was created by Microsoft and used by the Windows operating system to identify application compatibility issues. This information can track any application that executed on system. The SimCache is in System Registry at C:/Windows/System32/Config/System located at SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache and we can open it with Registy Explorer from Eric Zimmerman tools
Prefetch is a program that increases performance of a system by pre-loading code pages of commonly used applications. Cache Manager monitors all files and directories referenced for each application or process and maps them into a .pf file. Utilized to know an application was executed on a system. path of prefetch is under C:/windows/prefetch, and to open it we can use Prefetch Parser from Eric Zimmerman Tools
Artifact Left from Uninstalled TeamViewer
Some of artifact will not be deleted from uninstall activity, those artifacts are:
- connections_incoming.txt under C:\\Program Files\TeamViewer
- Connections.txt and TeamViewer15_Logfile.log under C:\\Users\<user>\AppData\Roaming\TeamViewer\
- .tvc under C:\\Users\<user>\AppData\Roaming\TeamViewer\MRU\RemoteSupport
Conclusion
- We know what and where to find TeamViewer information
- Who (TeamViewer ID) is login with TeamViewer
- When someone login using TeamViewer
- Who I try to connect using TeamViewer ID
2. Not all of TeamViewer artifact deleted after uninstall activity
3. We could find on execution activity using Registry to check if TeamViewer ever running in the system
4. It is worth to lookup on TeamViewer information log to analyze or forensic activity