Teamviewer Protocol

Introduction to TeamViewer

TeamViewer is the popular Internet-based remote administration software developed by TeamViewer GmbH. It can connect any PC or Server via internet so that we can remotely control partner’s computer. This provides us an interface as if we are sitting in front of that computer. It provides an All-In-One solution to all features such as remote control, desktop sharing, file transferring, messaging etc. The latest version of TeamViewer is [get it here] and it is for personal/Non-commercial use. TeamViewer supports common platforms especially Windows, Linux, Mac and Mobile phones.

Role of TeamViewer in Digital Forensics

As we know, TeamViewer is a powerful remote monitoring tool, it plays significant role in digital forensics. The encroachment of an unauthorized person into someone’s PC allows accessing their data. Remote controlling is powerful as physically accessing the target system. The remote controller can perform all kinds of activity that a user physically does. He can capture crucial and confidential information present on remote PC and also he can destroy or misuse them. As a forensics examiner it is insisted to know TeamViewer activities in detail and how to fetch the information buried in it.

Artifacts of TeamViewer

The artifacts about TeamViewer is present at 3 ends – Remote Administrator side (Support PC), the server through which connection establishes and communication takes place (Secure Access Server) and the PC where we remotely access (Client PC). The figure shows the communication process in TeamViewer.

Here we are discussing artifacts in client/remote administrator PC model of TeamViewer activity. TeamViewer saves all connection information and activity details in its installation directory, which is extremely helpful for any forensic investigators. The installation directory of TeamViewer is :

The artifacts of TeamViewer can be found inside directories as given below:

C:\Program Files\Teamviewer

and

C:\Users\user\AppData\Roaming\TeamViewer

Inside the installation directory, TeamViewer logs all its activities. There are mainly two log files that TeamViewer maintains:

• Connections_incoming.txt

It basically stores details of incoming connection that is established within the client PC. Sample content in this log file is shown below:

It lists out connected TeamViewer ID, The computer name from which connection established, time duration, connection type and connection unique ID. The basic details of the connection can be obtained from this text file. For more detailed information, we should open TeamViewerX_Logfile.log file.

• TeamViewerX_Logfile.log

It stores each and every activity of TeamViewer with timestamps, remote system IP, TeamViewer ID etc. This log file is the complete history of all incoming and outgoing connections. Few contents in this log file is listed below:

Additional to these logs, we can find TVC (TeamViewer Configuration File) created by TeamViewer under the folder.

C:\Users\user\AppData\Roming\Teamviewer\MRU\RemoteSupport

Each files represents remote connection established and file name is the remote TeamViewer ID. We can open this file in any text editor, which will show the “Target ID” (TeamViewer ID) and “Action” (type of remote assistance).

Analysis of Log File

As pointed above, log file contains detailed information about all activities. Here we explore few TeamViewer forensic artifacts that a forensic investigator needed to concentrate.

The start session indicates the beginning of new section. From the above sample log details, we can see the timestamp of the session starting along with the version used. The other details like IP, IE version etc. represents the machine details from where the system is accessed. It is important for forensic investigator that to identify location from which the remote access had been done.

Now let us see few details about remote PC described in log file. Consider the piece of log files.

If this log is collected from your computer, then 474556784 is remote computer’s TeamViewer ID, 135339165 is your computer’s TeamViewer ID and 192.168.2.88 is the remote system’s IP address.

Conclusion

As a popular and powerful remote administration tool, TeamViewer plays important role in forensics investigation. It logs all activities that were performed in its log file. These logs are valuable & as important as the evidence acquisition of emails, to find evidence if someone is accused to be done any cybercrime related with TeamViewer & involvment with other email platforms. In above session, we have discussed evidence artifacts fabricated in the log files and TeamViewer TVC files.