Blog >> Window AnyDesk

Investigating Window AnyDesk

17/03/2023 Friday

AnyDesk is a remote desktop app that lets you control another computer from anywhere. It creates a secure connection between two computers via the internet, allowing you to access the remote computer's screen, keyboard, mouse, files, and apps as if you were using it directly. The app uses encryption to secure the connection and has features like password protection. In essence, AnyDesk provides a convenient and secure way to work remotely, collaborate with others, or offer tech support. Minor changes occurred since our last blog on Anydesk which can be reviewed from the following link: https://forensafe.com/blogs/anydesk.html

Digital Forensics Value of AnyDesk


In forensic investigations, the value of AnyDesk lies in information such as Chat sessions, connection traces, and service logs can provide information about the communication and connection history between the remote computer and the local computer. This information can be used to track the activity of a user and determine what actions were taken during a remote session. And Session recordings can provide a visual record of a remote session, which can be useful in reconstructing what happened during the session. The unattended session password can be valuable in accessing the remote computer in an unattended mode, which can be useful for data collection and analysis.

Location of AnyDesk Artifacts


AnyDesk artifacts are found in the following location:
%systempartititon%\%username%\AppData\Roaming\AnyDesk\
%systempartititon%\ProgramData\AnyDesk\
%systempartititon%\%username%\Videos\AnyDesk

Analyzing AnyDesk with ArtiFast


This section will discuss how to use ArtiFast to extract AnyDesk from Windows and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select AnyDesk artifacts.






Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Window AnyDesk artifacts in ArtiFast.


AnyDesk Chat Sessions Artifact


AnyDesk Connections Trace Artifact


AnyDesk Session Recordings Artifact


AnyDesk Services Log Artifact


AnyDesk Thumbnails Artifact


AnyDesk Unattended Session Password Artifact


AnyDesk User Configurations Artifact




For more information or suggestions please contact: amro.alshadfan@forensafe.com