Teamviewer Forensic Artifacts

The average system administrator uses remote administration tools to enable them to tend to systems across their network. There are a variety of these tools available and one of them is Teamviewer. During an incident, there are several logs and artifacts of interest that are vital. Each log provides some level of data that can be valuable to an analyst. The logs and their location are as follows:

  • C:\Program Files(x86)\Teamviewer\Connections_incoming.txt
  • C:\Program Files(x86)\Teamviewer\TeamViewer15_Logfile.log
  • C:\Program Files(x86)\Teamviewer\TeamViewer15_Logfile_OLD.log
  • C:\Users\<user>\AppData\Roaming\TeamViewer\MRU\RemoteSupport\*tvc
  • C:\Users\<user>\AppData\Roaming\TeamViewer\connections.txt

Each log provides information of particular use during analysis. The breakdown of what that information is for each log is as follows:

  • C:\ProgramFiles(x86)\Teamviewer\Connections_incoming.txt
    • Contains logs of successful connections to the system
    • Contains the following Properties: Teamviewer ID of the connecting device, display name, start time, end time, the username of logged on user, connection type, and the connection ID
    • Depicted time in the log is in UTC
  • C:\ProgramFiles(x86)\Teamviewer\TeamViewer15_Logfile.log
  • Contains verbose information for troubleshooting
    • Contains verbose logging of incoming and outgoing connections that can be used to:
    • identify successful and unsuccessful incoming or outgoing connections
    • identify settings and characteristics about the connecting system
    • identify the public IP (or assigned IP) of the connecting system
    • PID associated with the Teamviewer program
    • Depicted time in the log is local time to the system
  • C:\ProgramFiles(x86)\Teamviewer\TeamViewer15_Logfile_OLD.log
    • Rollover log of C:\ProgramFiles(x86)\Teamviewer\TeamViewer15_Logfile.log
  • C:\Users<user>\AppData\Roaming\TeamViewer\MRU\RemoteSupport*tvc
    • Files are artifacts of successful connections
    • The data from the file populates the dropdown list under “Partner ID” in the program’s GUI
  • C:\Users<user>\AppData\Roaming\TeamViewer\connections.txt
    • Contains logs of successful outgoing connections
    • Contains the following Properties: Teamviewer ID of the connecting device, start time, end time, the username of logged on user, connection type, and the connection ID
    • Depicted time in the log is in UTC

For the most part, the log files are flat text files. In an effort to ease analysis efforts, I created a series of PowerShell functions that parse the log files and present relevant data. That capability can be found here.

Some questions that an analyst can glean from the logs are as follows:

  • What outgoing connections have this machine made?
  • Of those connections, what were the successful and unsuccessful ones?
  • What incoming connections were made to this machine?
  • What PID was tied to that connection and was there child process spawned?
  • What IPs are communicating with this machine?
  • What Teamviewer IDs communicate with this machine?
  • What is the keyboard layout associated with the incoming connection?
  • Were there any files transmitted during the incoming connection?
  • What is the duration of the incoming and outgoing connection?
  • How long does the Teamviewer process run, on average?

Copyright © 2024 Cyber Fibers