Anyone direct me to where I might find TeamViewer artifacts?
I have a matter I am working on where an employee may have accessed the owner of the companies computer. Sadly the owner has a very liberal policy in re his personal desktop at work.
Thank you in advance.
What are you looking for specifically, and what are you trying to prove?
There is a file which logs all connections. At least in the Teamviewer-Version I analyzed. I do not remember the name but it was very easy to find (a plain text-file).
I don't mean to be a j**k. But in the time its taken you to post, and wait for responses, you could have easily ran an experiment.
My point is, if you have a question on, say, NTFS, thats no big deal. Alot of research has gone into that and there are white papers a plenty. Such things like Teamviewer are more esoteric, and even if someone has all the answers you need, what are the odds that they will read your post.
Beyond that, would you really want to walk into court, or write in your report, that you know about Teamviewer artifacts because some stranger on the internet told you so? At some point in your case, you are going to have to experiment, if nothing else, so you can attest to what you found.
On top of that, if someone did have extensive knowledge about Teamviewer, and if they did find your post, who is to say their knowledge is on the same version? Versions can change things drastically sometimes.
Again, I don't mean to be a j**k, but I believe that Computer Forensics is first and foremost a research profession. I guess my post isn't directed directly at you, too often I see people looking for someone else to give them the answer when they could research and test for themselves.
I copuld not agree more with the need to conduct research.
I had an investigation in which Teamviewer was a critical component in how the fraud had been committed, and I had to experiment to find out how it worked and what artefacts were created, and it was as a result of these experiments that I could confidently testify as to what I had found.
I did conduct the research, this was but only one avenue in my research. I am attempting to find access times for a possible breach. Yes, I did look for the standard log files, however they were missing.
I did find another log file that was incomplete, however it offered me a bit of a clue as to access. The log file that is a text file was not in the directory as outlined by the literature, and then verified with TeamViewer Technical support. They were very accommodating in my request.
I was looking for someone who might have had experience with the product, not a lecture on how I should have researched a topic. Typically forums such as this is a way to glean information from a fellow forensic examiners as to direction, or possibly things to look for. EVERYTHING I do is validated, and by the time I find and report on whatever artifacts I may have found, I am certain my reports and findings are difficult to refute.
However, Thank you for your responses, I will refrain from asking point specific questions on this forum in my course of research.
And to conclude, the log file which is a simple text file was deleted at the point of source. It cannot be deleted remotely during a session due to the fact the program uses it during the session. Therefore, a carve had to be done to find the missing log file.