TeamViewer is a software that allows remote access and control of computers and other devices. It is known for being reliable, fast, easily accessible, and for the use of secure digital communication technology. TeamViewer is mainly used in web conferencing and remote administration, and it is available for desktop (Windows, macOS, and Linux) and mobile devices (Android and iOS).
TeamViewer forensics can provide critical data as it helps in identifying successfully connected incoming and outgoing sessions, their related information, failed connection attempts, IDs, public IPs, and so much more potential evidential data that would aid in finding suspicious activities, that then could lead to possible suspects.
TeamViewer artifacts are stored in the following locations:
TeamViewer saves connection data in log files, the TeamViewer<version>_logfile.log file is intended
for staff members as it is used for analyzing past actions, technical troubleshooting, and bug detection. It
contains information such as outgoing and incoming connections, machine information, denied connections, and
it uses local time from the computer.
Connections_incoming.txt and connections.txt log files are both structured in an easy user-readable format. Connections_incoming.txt log file contains information about all successful incoming connections, such as the auto-generated unique TeamViewer ID, device display name, and uses UTC. Whereas connections.txt log file records all outgoing connections from a machine, and it also uses UTC.
This section discusses how to use ArtiFast Windows to analyze TeamViewer artifacts from Windows
machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select TeamViewer artifacts:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of TeamViewer artifacts in ArtiFast Windows.
TeamViewer Log File Artifact
The artifact extracts Windows TeamViewer log file information.
TeamViewer Incoming Connections Artifact
The artifact extracts Windows TeamViewer incoming connections.
TeamViewer Connections Artifact
The artifact extracts Windows TeamViewer connections.
For more information or suggestions please contact: firstname.lastname@example.org