Investigating AnyDesk
24/12/2021 Friday
AnyDesk is a remote desktop application similar to TeamViewer. The software offers a variety of functionality such as remote access and control, file transfer, and VPN. AnyDesk is available for desktop computers including Windows, macOS, and Linux. It is also available for smartphones and tablets running iOS/iPadOS or Android operating system.
Digital Forensics Value of AnyDesk Artifacts
AnyDesk and other remote desktop applications are widely used because of their many capabilities; however, they can also pose a serious threat to individuals as well as businesses. Threat actors can take advantage of such software to gain unauthorized access to the victim/target device stealing sensitive confidential data, distributing malware and so on. Hence, it is important to be able to view and analyze critical artifacts related to remote access applications.
Location of AnyDesk Artifacts
In Windows systems, AnyDesk artifacts are found in the following two locations:
- C:\ProgramData\AnyDesk\
- C:\Users\%Username%\Appdata\Roaming\AnyDesk\
Analyzing AnyDesk Artifacts with ArtiFast Windows
This section discusses how to use ArtiFast Windows to analyze AnyDesk artifacts from Windows
machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase,
you can select AnyDesk artifacts:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of AnyDesk artifacts in ArtiFast Windows.
AnyDesk Actions Log Artifact
- Startup ID - Unique identifier representing startup session.
- Level - Log entry severity level.
- PID - Process ID.
- Thread - Thread the entry belongs to.
- Event Interface - Interface through which logged event occurred.
- Event Source - Logged event source.
- Event Summary - Logged event summary.
- Log Entry Date/Time - Log entry Date/Time.
AnyDesk Chat Sessions Artifact
- Client - Client sending the message.
- Remote Client ID - Remote client Identifier.
- Message - The message content.
AnyDesk Connections Trace Artifact
- Direction - Connection direction.
- Connection Status - Whether and how access was granted.
- Alias - Alias.
- Remote Client ID - Remote Client ID.
- Connection Date/Time - Date/Time connection occurred.
AnyDesk Services Log Artifact
- Startup ID - Unique identifier representing startup session.
- Level - Log entry severity level.
- PID - Process ID.
- Thread - Thread the entry belongs to.
- Event Source - Logged event source.
- Event Summary - Logged event summary.
- Log Entry Date/Time - Log entry Date/Time.
- Service - Service name.
- Fiber ID - Fiber ID.
- Source File - The file the log entry is parsed from.
AnyDesk Session Recordings Artifact
- Session Type - Indicates whether the connection was incoming or outgoing.
- Source Name - Name of client that established session.
- Source ID - ID of client that established session.
- Destination Name - Name of client that was connected to.
- Destination ID - ID of client that was connected to.
- Size - File size.
- Last Modified Date/Time - Date/Time file was last modified.
AnyDesk Thumbnails Artifact
- Name - Thumbnail nail.
- Thumbnail Path - Thumbnail path.
- Thumbnail Size - Size.
- Icon Path - Icon path.
- Icon Size - Size.
- Thumbnail Last Modified Date/Time - Thumbnail last modified date/time.
- Icon Last Modified Date/Time - Icon last modified date/time.
AnyDesk Unattended Session Password Artifact
- Password Hash - Password hash.
- Password Salt - Password salt.
AnyDesk User Configurations Artifact
- Local Start Path - Local browser start path.
- Remote Start Path - Remote browser start path.
- Show keyboard - Session show keyboard.
- Print Auto Execution - Print automatic execution in jobs.
- Print Mode - Print mode.
- Favorite Client IDs - Favorite sessions client IDs.
For more information or suggestions please contact: asmaa.elkhatib@forensafe.com
