I have a situation where Teamviewer was used to remotely log into a computer and delete files. What are some areas where I can find evidence of file deletion and Teamviewer identity of the intruder?
Asked
Active
Viewed 409 times
1 Answers
1
What do do:
Check C:\Program Files\TeamViewer\ and C:\Users\UserName\AppData\Roaming\TeamViewer for the logs
Click on the tool kit symbol in the upper right corner click on the button Open Logfiles...
Create a support ticket on the TW site and send them the log
Relevant files for investigation:
Connections_incoming.txt - stores details of incoming connection that is established within the client PC. That means connected TeamViewer ID, the computer name from which connection established, time duration, connection type and connection unique ID - which is critical for any investigation.
TeamViewerX_Logfile.log - stores each and every activity of TeamViewer with timestamps, remote system IP, TeamViewer ID and many other things. This log file is the complete history of all incoming and outgoing connections. Practically, it's everything you would need.
File deletion evidence you will find by comparing deletion timestamp with TW connection timestamp.
Overmind
- 8,779
- 3
- 19
- 28