LogMeIn is a remote access software similar to TeamViewer and Anydesk. It allows users to connect to devices via an internet connection remotely. These devices include laptops, workstations, servers, tablets, and smartphones. The software provides the ability to create groups of multiple devices within the application, remotely access these devices, take control of them if necessary and share files between them. The software is mainly used by IT personnel providing technical support to businesses.
Digital Forensics Value of LogMeIn Artifacts
LogMeIn allows organizations and individuals to access devices remotely, share files, and manage and configure machines where physical access is unavailable. These capabilities are beneficial to normal users, but it also enables criminals to perform illegal activities. Therefore, analyzing remote access artifacts can provide valuable information during investigations.
Location of LogMeIn Artifacts
LogMeIn artifacts can be found at the following directories and registry locations:
Analyzing LogMeIn Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract LogMeIn artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select LogMeIn artifacts:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of LogMeIn artifacts in ArtiFast.
LogMeIn Client Information: This artifact contains information related to the local user.
- Account User ID - A Unique identifier for each account. It is expressed as a string of 32 hexadecimal characters.
- Email - The email used to remote control the client’s computer.
- Is Save Password - This attribute shows whether the password was saved on the current device or not using remember me functionality.
- Password Ticket - A password ticket is generated when a user chooses to save their credentials. In other words, it is an authentication ticket bound to the remember me functionality
LogMeIn Last Shared File: This artifact contains information about the last shared file.
- Last Recipient Emailed - The last recipient emailed the shared file link.
- Is Copy Sent - Indicates whether a copy of the desktop sharing link has been sent or not.
- Is Email Sent - Indicates whether the shared link was sent via email.
- Sharing Time - Indicates the number of minutes, hours, or days the desktop shared link would expire.
LogMeIn Invited Guests: This artifact contains information about the invitation requests sent via the software.
- Invitation ID - A Unique identifier for each invite. It is expressed as a string of 16 hexadecimal characters.
- Is Active - Indicates whether the link is active or not.
- Is Answered - Indicates whether the invitation has been accepted or not.
- URL - The link for entering the shared Desktop.
- Description - The title was sent with the invitation details.
- Created Time - The date and time the share link was created.
- Expires Time - The date and time when the share link expires.
LogMeIn Shared Files: This artifact contains information about the files shared via the software.
- File Name - The name and extension of the shared file.
- File Path - The file's location on the sender's computer.
- Is Download Started - Indicates whether the receiver started the downloading process.
- Is Download Finish - Indicates whether the download is completed.
- Download URL - URL sent to the receiver to download the file.
- File Size - File size in bytes.
- Expriration Time - The date and time when downloading the link will expire.
- Shared Time - Duration of the sharing process.
- Shared By - The name and username of the device which started the sharing process.
LogMeIn Connection History: This artifact contains information related to connection history.
- Created Date/Time - Date and time when the log was recorded.
- Log Levels - It categorizes the log file entries according to the message's urgency and importance.
- File Type - The name of the log file.
- Device Name - Computer Name and profile name.
- Process Identifier (PID) - Indicates the active process.
- Description - It includes local IP address, remote IP address, server IP address, connection state, and other information.
For more information or suggestions please contact: email@example.com