Investigating Window AnyDesk
17/03/2023 Friday
AnyDesk is a remote desktop app that lets you control another computer from anywhere. It creates a secure connection between two computers via the internet, allowing you to access the remote computer's screen, keyboard, mouse, files, and apps as if you were using it directly. The app uses encryption to secure the connection and has features like password protection. In essence, AnyDesk provides a convenient and secure way to work remotely, collaborate with others, or offer tech support. Minor changes occurred since our last blog on Anydesk which can be reviewed from the following link: https://forensafe.com/blogs/anydesk.html
Digital Forensics Value of AnyDesk
In forensic investigations, the value of AnyDesk lies in information such as Chat sessions, connection traces, and service logs can provide information about the communication and connection history between the remote computer and the local computer. This information can be used to track the activity of a user and determine what actions were taken during a remote session. And Session recordings can provide a visual record of a remote session, which can be useful in reconstructing what happened during the session. The unattended session password can be valuable in accessing the remote computer in an unattended mode, which can be useful for data collection and analysis.
Location of AnyDesk Artifacts
AnyDesk artifacts are found in the following location:
%systempartititon%\%username%\AppData\Roaming\AnyDesk\
%systempartititon%\ProgramData\AnyDesk\
%systempartititon%\%username%\Videos\AnyDesk
Analyzing AnyDesk with ArtiFast
This section will discuss how to use ArtiFast to extract AnyDesk from Windows and what kind of digital forensics insights we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select AnyDesk artifacts.
×
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Window AnyDesk artifacts in ArtiFast.
AnyDesk Chat Sessions Artifact
- Client - The client sending the message.
- Remote Client ID - The remote client identifier.
- Message - The message content .
AnyDesk Connections Trace Artifact
- Date - Date/Time connection occurred.
- Remote Client ID - The remote client identifier.
- Alias - The alias of the client .
- Connection Status - How the Access was granted.
- Direction - Connection direction.
AnyDesk Session Recordings Artifact
- Date - Date/Time file was last modified.
- Destination Name - The name of the client connected to.
- Source Name - The name of the client that started the connection.
- Session Type - The type of the session.
- Source ID - The identifier of the client that started the connection.
- Destination ID - The identifier of the client connected to.
- Size - The size of the record.
AnyDesk Services Log Artifact
- Date - Log entry Date/Time.
- PID - The process ID.
- Level - Log severity level.
- Event Summery - Log event summary.
- Thread - The thread that the entry belongs to`.
- Source File - The file that the entry was parsed from.
- Startup ID - An identifier representing startup session.
- Service - Service name.
AnyDesk Thumbnails Artifact
- Date - Thumbnail Last Modified Date/Time.
- Thumbnail Size - The size of the Thumbnail.
- Icon Path - The path of the icon.
- Name - Thumbnail name.
- Icon Size - The size of the icon.
- Icon Last Modified Date/Time - The icon last modified date/time.
- Thumbnail Path - the path of the humbnail.
AnyDesk Unattended Session Password Artifact
- Password Hash - The hash of the password.
- Password Salt - The salt of the password.
AnyDesk User Configurations Artifact
- Show keyboard - Session show keyboard.
- Local Start Path - The local browser start path.
- Print Mode - Print mode.
- Print Auto Execution - Print automatic execution in jobs.
- Favorite Session Client IDs - Favorite Session Client IDs .
- Remote Start Path - The remote browser start path.
For more information or suggestions please contact: [email protected]
