Teamviewer Forensic Basic Tips

This Post Covers

TeamViewer provides easy-to-use interface that many people like and remote control with each other with convenient way. We could install it in friends’ laptop, parents desktop in order to remotely troubleshoot their computers. It’s good way to help your relatives with not much of computer knowledge or not into it.

Teamviewer Logs analysis have been publicly open by a bunch of forensicators for a long time, we could search & find it in google with a keyword “teamviewer forensics”. As the software version upgrades some structure & log path have slightly changed, but outline in general seems the same.

In recent case, I was doing a little test teamviewer out and found some interesting info, IPv6. I will cover two posts, one for basics and the other for tips & share what I found.

TeamViewer(v15.16.8) Logs

What’s more important in general investigation/examination point of view is to find suspect’s information or any link that could possibly lead to suspects. Given this aspect, two meaningful logs of teamviewer are as follows:

  1. Remote Connection(imcoming) Log: Connections_incoming.txt
  2. Connection Detail Log: TeamViewer##_Logfile.log

Log path in windows OS(x64 arch) stored in:

  • x86 installer: C:\Program Files (x86)\TeamViewer
  • x64 installer: C:\Program Files\TeamViewer

When remote connection successfully made from Device A to B, as Fig 1. below, it will generate incoming log on the Device B side with a bunch of Device A’s info.

image
[ Fig 1. Remote Support Scenario from Device A to B ]

Connections_incoming.txt (UTC 0)

1. A’s TeamViewer Autogenerated ID

An autogenerated ID is comprised of numbers(9 to 10 numerical digits) that enables remote communication properly by the software. These numbers are used in the program, as devices are managed and identified by those numbers.

image
[ Fig 2. Teamviewer ID for Remote Control ]

Every device has its own unique ID. It stays the same as it was, whether we reboot the system, close and rerun the program or not. Even re-install TeamViewer.

2. A’s Display Name or Teamviewer ID(if login)

This column could easily be misinterpreted as Computer Names. In many cases, all we can see in the log is the computer names in general. However, looking a little deep into its change, we know that is the devices’ display name(or screen name).

image
[ Fig 3. Display name ]

The column also can change by user’s login and logout status. If we don’t login, teamviewer automatically configure Computer Name as display name by defult. If we change the display name manually, changed name will be applied and the next round it will be shown in both Connections_incoming.txt and TeamViewer##_Logfile.log Logs.

If we do log in, then your teamviewer account username will get the higher priority and be set for the logs which will be recorded instead of Display Name(computer name by default).

image
[ Fig 4. Log generated depending on login/logout status ]

I sometimes login to use teamviewer because it provides some decent features such as manage remote computer lists and check their online status. However, most people seem to use teamviewer without login, and that’s why some forensicators could miss the piece of evidence.

One important thing to know about is the fact that username also can change like in Fig 4. We should also keep that in mind.

3. Remote Support Start Time (UTC 0)

Remote connection start datetime is recorded in dd-MM-yyyy hh:mm:ss format, so we need to perform proper converting timezone, local tz for example, and yet it’s different for each case.

4. Remote Support End Time (UTC 0)

End date and time of connection, formats are the same as start datetime mentioned above.

5. B’s OS Account (Username)

This also may be confusing column, it has nothing to do with Teamviewer account’s username or display name. The column contains username of Operating System. One thing to consider & think about here is, whether it’s recorded differently by Windows Local Account or MS account login.

After testing out these two cases in windows OS, I have concluded that regardless of login type, the log is only recorded by local user account name.

image
[ Fig 5. OS Local Account in connections_incoming.txt]

Wrap-up

There are several suspects’ meaningful information even only in Connections_incoming.txt Log. That wraps up with two bullet points as below.

  1. Teamviewer ID
    ➔ An auto-generated UNIQUE digits that generated by teamviewer for remote connection.
  2. Display Name
    ➔ Possilibity of suspect’s teamviewer (email)ID if display name is not computer name. ➔ In addition to a Search and Seizure Warrant, it is recommended that you should use the cyber intelligence, OSINT.

In the next post we’ll be covering TeamViewer##_Logfile.log in detail, IPv6 information and tips of log analysis.

Reference

Leave a comment