What is TeamViewer?
TeamViewer is an application that allows the user of one computer to connect and remotely use another computer, as if they were sat at it, via the Internet.
The software can be downloaded from here https://www.teamviewer.com/en/download/windows/ for personal use for free, with limitations such as a connection time limit, or it can be purchased providing the user with fewer limitations, including for business use, as the cost increases.
The software is also available on a range of different platforms including Windows, Windows Mobile, Linux, Mac OSX, Android and Apple iOS.
TeamViewer Forensics
When using TeamViewer, the access to the remote computer is gained using the 10 digit ID number and password of that computer and knowledge of those is required before the computer can be used.
However, the capability of TeamViewer and other such remote access software provides the potential for a user to gain complete use of a computer from any location via the Internet which can provide various circumstances where that capability can be misused and private or financial information can be obtained.
Through the use of digital forensics techniques, it can be possible to identify what activity occurred during any remote connection sessions, including any files that were transferred and the IP address and other details that may help identify the connecting computer.
TeamViewer Forensics – Data Investigation
When conducting a forensic investigation into a computer where TeamViewer is involved, data is stored to both computers, the computer being accessed and the computer conducting the access.
By default, the TeamViewer application is stored to the Program Files\Teamviewer directory and the activity logs are also recorded within that path.
The file named Connections_Incoming.txt maintains a record of all incoming remote connections, which is stored in the following format:
- TeamViewer ID
- Name of Connecting Computer
- Time/Date of Start of the Activity
- Time/Date of the End of the Activity
- Profile of the Target Computer
- Type of Connection
- Connection ID
Once a specific connection has been identified within the Connections_Incoming.txt file, it is possible to consider further details of the actions and activities undertaken by examining the content of the TeamViewer logfiles that are also location within the default program installation folder.
The information within the logfiles includes the version of TeamViewer used, the operating system and the IP address of the connecting computer.
If attempting to identify evidence of remote access either within a TeamViewer log file or within the deleted areas of a drive searches for the following terms may assist:
CreatePassiveSession
Negotiating session encryption
incoming remote control in sessions
CommandHandlerRouting
The following text is the content of a TeamViewer13 Logfile from a target computer that had been accessed remotely by another
2019/05/29 18:39:29.702 3884 4860 S0 Activating Router carrier
2019/05/29 18:39:29.702 3884 4860 S0 CommandHandlerRouting[32]::CreatePassiveSession(): incoming session via GB-LON-IBM-R010.teamviewer.com, protocol Tcp
2019/05/29 18:39:29.818 3884 4860 S0 Negotiating session encryption: client hello received from 1234567891, RSA key length = 2048
2019/05/29 18:39:29.818 3884 4860 S0 Negotiating session encryption: client hello received from 1234567891, RSA key length = 2048
2019/05/29 18:39:29.833 3884 4856 S0 Negotiating session encryption: server hello sent
2019/05/29 18:39:29.849 3884 4848 S0 CToken::GetSystemToken() set session 1
2019/05/29 18:39:29.865 3884 4848 S0 ProcessCo ntrolBase[4]: Start Desktop process in session 1, pid 12160
2019/05/29 18:39:29.871 3884 4848 S0! GUIProcessControl::VerifyGuiRunningInSessionInternal: incoming connection for session 1. User desktop-[user name]is logged in, but no GUI running. Retry count: 0.
2019/05/29 18:39:30.003 3884 4848 S0 ConnectionGuard: incoming remote control in sessio ns: 1(1)
2019/05/29 18:39:30.003 4396 7848 G1 Connection incoming, sessionID = 123456789
2019/05/29 18:39:30.075 3884 4860 S0 CAcceptServer::HandleAccept: new connection from 121.1.1.1:12345
2019/05/29 18:39:30.079 4396 7848 G1 Received Control_InitIPC processtype=4
2019/05/29 18:39:30.088 3884 4856 S0 ProcessControlBase[4]::ProcessConnected: Process pid 12160 in session 1 connected
2019/05/29 18:39:29.871 12160 5064 D1 Logger started.
2019/05/29 18:39:29.987 12160 5064 D1 TeamViewerDesktop started, PID=121 60
2019/05/29 18:39:29.987 12160 5064 D1 Monitors: Generic PnP Monitor, \\.\DISPLAY1, 1920×1080 (0,0), flags=3, dpi=96
2019/05/29 18:39:29.987 12160 12744 D1 WindowsDesktopS pecificThread::Init(default): ChangeThreadDesktop(): SetThreadDesktop to default successful
2019/05/29 18:39:29.987 12160 8408 D1 WindowsDesktopSpecificThread::Init(winlogon): ChangeThreadDesktop(): SetThreadDesktop to winlogon successful
2019/05/29 18:39:30.003 12160 5064 D1 MachineHooks: Initialized Shm
2019/05/29 18:39:30.003 12160 5064 D1 Mac hineHooks: refcount = 2
2019/05/29 18:39:30.003 12160 5064 D1 MachineHooks: x64 Machine detected
2019/05/29 18:39:30.003 12160 5064 D1 RemoveLoginScreenWallpaper: inputDesk topName=Default
2019/05/29 18:39:30.067 12160 5064 D1 Default keyboard layout: 08090409
2019/05/29 18:39:30.067 12160 5064 D1 tvdesktop::BlackScreen::BlackScreen – state B SCR_OFF; m_showInstallMonitorDialog 1
2019/05/29 18:39:30.067 12160 5064 D1 tvdesktop::BlackScreen::BlackScrState – moving from BSCR_OFF —> BSCR_OFF
2019/05/29 18:39:30.067 12160 5064 D1 tvdesktop::BlackScreen::RegisterChangeEvent
2019/05/29 18:39:30.067 12160 5064 D1 InterProcessBase::StartTcpCommunicationInternal(): setting m_NetworkConnect or to new TCP connector
2019/05/29 18:39:30.074 12160 5064 D1 Opening local TCP connection to 121.1.1.1:1234
2019/05/29 18:39:30.074 12160 2228 D1 Local TCP connection esta blished
2019/05/29 18:39:30.082 12160 11928 D1 SettingsIPCReception receive a SYNCHRONISE Settings command : UserSettings
2019/05/29 18:39:30.084 12160 11928 D1 Received Cont rol_InitIPC_Response processtype=1
2019/05/29 18:39:30.084 12160 11928 D1 Received Control_InitIPC_Response runningProcesses=7
2019/05/29 18:39:30.087 12160 2228 D1 Received Control_InitIPC_Response processtype=2
2019/05/29 18:39:30.087 12160 2228 D1 Control_InitIPC_Response: all processes 7 completely initialized
2019/05/29 18:39:30.121 12160 5 064 D1 InterProcessBase::SecureNetwork created
2019/05/29 18:39:30.122 12160 5064 D1 tvshared::WindowsSessionStateManager::SetUserLoggedIn(05EF0818): changed to: 1
2019/05/29 18:39:30.127 12160 3972 D1 tvshared::WindowsSessionStateManager::SetUserLoggedIn(05EF0818): changed to: 1
2019/05/29 18:39:30.127 12160 2228 D1!! InterProcessBase::ProcessCo ntrolCommand Command 40 not handled
2019/05/29 18:39:30.127 12160 14136 D1 Connection incoming, sessionID = 123456789
2019/05/29 18:39:30.127 12160 6948 D1 LoginDesktopWindo wImpl::GuiThreadFunction(): ChangeThreadDesktop(): SetThreadDesktop to winlogon successful
2019/05/29 18:39:30.127 12160 14136 D1 tvshared::WindowsSessionStateManager::SetUserLo ggedIn(05EF0818): changed to: 1
2019/05/29 18:39:30.127 12160 14136 D1 tvshared::WindowsSessionStateManager::SetSessionLocked: 05EF0818 : Unlocked
2019/05/29 18:39:30.127 12160 13208 D1 CLogin::run()
2019/05/29 18:39:30.127 12160 14136 D1 IpcRouterClock: received router time: 20190529T143929.607821
2019/05/29 18:39:30.127 12160 13208 D1 CLogin::N egotiateVersionServer()
2019/05/29 18:39:30.127 3884 4852 S0 LegacyDataCmdSender[32]::SendAllData(): encryption not ready!
2019/05/29 18:39:30.142 3884 4856 S0 Negotiating session encryption: client handshake received
2019/05/29 18:39:30.142 3884 4856 S0 Negotiating session encryption: client handshake received
2019/05/29 18:39:30.148 3884 4860 S0 Negotiating session encryption: server handshake sent, encryption established with AES key length 256
2019/05/29 18:39:30.819 12160 13208 D1 CLoginServer::CheckIfConne ctionIsAllowed()
2019/05/29 18:39:30.820 12160 13208 D1 LoginServer::runServer: using condition set: {}
2019/05/29 18:39:30.821 12160 13208 D1 CLoginServer::AuthenticateServe r()
2019/05/29 18:39:31.064 12160 13208 D1!! CAuthenticationSRP_Passive, Step_Receive_VerifyClientSecret: clientSecret!=serverSecret
2019/05/29 18:39:31.064 12160 13208 D1 AuthenticationPasswordLogin_Passive::RunAuthenticationMethod: authentication using dynamic password was denied
2019/05/29 18:39:31.213 12160 13208 D1 AuthenticationPasswordLogin_Passive::RunAuthenticationMethod: authentication using fixed password was successful
2019/05/29 18:39:31.270 3884 4864 S0 UDP: ProcessHandshake: (*)
2019/05/29 18:39:31.271 388 4 4864 S0 Initializing transmission control v2
2019/05/29 18:39:31.272 3884 4844 S0 UDP: ProcessHandshake: (*)
2019/05/29 18:39:31.272 3884 4844 S0 Initializing transm ission control v2
2019/05/29 18:39:31.275 3884 4844 S0 UDP: no transition from state AllOk on event struct tvnetwork::FirstHandshakeHandled: (*)
2019/05/29 18:39:31.275 3884 4844 S0 UDP: no transition from state HandlingPingsAndFlows on event struct tvnetwork::FirstHandshakeHandled: (*)
2019/05/29 18:39:31.275 3884 4844 S0 UDP: no transition f rom state WaitForUdpRequest on event struct tvnetwork::FirstHandshakeHandled: (*)
2019/05/29 18:39:31.276 12160 13208 D1 CLoginServer::runServer: ConnectionMode == 1
2019/05/29 18:39:31.276 12160 13208 D1 SessionManagerDesktop::ChangeToServermode: creating session with TVSessionID = 123456789
2019/05/29 18:39:31.277 12160 13208 D1 Default keyboard layout: 08090409
2019/05/29 18:39:31.279 12160 13208 D1 WorkstationLockerWin::ShouldAutoLockWorkstation: Autolock: no, Local user logged-in: 1, window session locked: 0, secure screen saver running: no disabled by policy: 0
2019/05/29 18:39:31.279 12160 13208 D1 WorkstationLocker::SetInitialSessionLockState() TVSessionID: 123456789 auto lock: 0
2019/05/29 18:39:31.279 12160 13208 D1 WindowObserver::SessionStart: -1; type: 1
2019/05/29 18:39:31.279 3884 4844 S0 PseudoRoutableCmdHandler[32]::StartPseudoRouter(): PseudoRoute r has been started
2019/05/29 18:39:31.279 3884 4844 S0 CPersistentParticipantManager::AddParticipant: [12345678910,123456789] type=3 name=DESKTOP
2019/05/29 18:39:31. 280 3884 4852 S0 CPersistentParticipantManager::AddParticipant: [1234567891,811586809] type=6 name=John Doe
2019/05/29 18:39:31.280 3884 4844 S0 CPersistentParticipant Manager::AddParticipant: [12345678910,123456789] type=3 name=DESKTOP
2019/05/29 18:39:31.280 12160 7556 D1 DesktopThread started, number of Cores: 6
2019/05/29 18:39:31 .280 12160 13208 D1 SessionManagerDesktop::ReportSession(): report incoming session -> isManagedDevice: 0; reportIncomingSession setting: 0
2019/05/29 18:39:31.280 12160 13208 D 1 CLogin::run() leave
2019/05/29 18:39:31.280 12160 13208 D1 tvhelper::CThread::weakJoin – thread {Not-any-thread} has succesfully detached itself
2019/05/29 18:39:31.281 38 84 4852 S0 ReadStreamParameters(): streamID=1 type=5 (StreamType_Chat), source=[12345678910,123456789], features=1, compression=2
2019/05/29 18:39:31.282 3884 4852 S0 ReadSt reamParameters(): streamID=2 type=7 (StreamType_VPN), source=[12345678910,123456789], features=1, compression=2
2019/05/29 18:39:31.291 4396 7832 G1 VoIP: using pipeline factor y async = 1
2019/05/29 18:39:31.291 4396 7832 G1 VoIP: VoIPCentral: CreateComponentsAndStartThreads start
2019/05/29 18:39:31.291 4396 7832 G1 VoIP: using pipeline factor y async = 1
2019/05/29 18:39:31.292 4396 7832 G1 VoIP: Receiver: Audio pipeline: Building pipeline finished
2019/05/29 18:39:31.292 4396 7832 G1 VoIP: Receiver: Audio pip eline: VoiceReceiverAudioPipeline RegisterPlaybackDataObserver
2019/05/29 18:39:31.292 4396 7832 G1 VoIP: using pipeline factory async = 1
2019/05/29 18:39:31.292 4396 5620 G1 VoiceSenderAudioPipeline: Building pipeline started
2019/05/29 18:39:31.292 4396 7832 G1 VoIP: VoIPCentral: CreateComponentsAndStartThreads end
2019/05/29 18:39:31.292 4396 13940 G1 VoIP: Receiver: Audio pipeline: StartTicking called
2019/05/29 18:39:31.292 4396 13940 G1 VoIP: Receiver: ****** Playback status changed to VoiceReceiverPlayba ckUnavailable ******
2019/05/29 18:39:31.292 4396 2312 G1 RebuildingAutoVoiceCapturerWorkingClass: Data streaming activity changed to 0
2019/05/29 18:39:31.292 4396 2312 G1 VoiceSenderAudioPipeline: RebuildingAutoVoiceCapturer: Tick streaming activity changed to 0
2019/05/29 18:39:31.293 4396 5620 G1 VoiceSenderAudioPipeline: Building pipeline finished
2019/05/29 18:39:31.293 4396 5620 G1 CAudCodecSpeex:: fpp is 4
2019/05/29 18:39:31.294 4396 5620 G1 VoIP: Sender: Initialized
2019/05/29 18:39:31.294 4396 2 312 G1 VoIP: Sender: Audio pipeline: StartTicking called
2019/05/29 18:39:31.294 4396 5620 G1!! VoIP: Sender: Audio pipeline: RebuildingAutoVoiceCapturer: VoIPAudioControlAdap terCapturing not set!
2019/05/29 18:39:31.294 4396 7832 G1 RA: Creating audio server
2019/05/29 18:39:31.294 4396 7832 G1 RA: quality suggestion by capacity measurement: (350)
2019/05/29 18:39:31.294 4396 7832 G1 RA: Audio quality set to 120000
2019/05/29 18:39:31.296 4396 7200 G1 VoIP: Receiver: Added session 123456789. Meeting id is -. Our participant id is “1 123 456 789” [12345678910,123456789].
2019/05/29 18:39:31.301 4396 14092 G1 VoIP: AudioControl: Available Rendering endpoints: “Soundcard Speakers/Headp hones (Realtek(R) Audio)”, “Standard playback device”, “Default Communication Device”,
2019/05/29 18:39:31.301 4396 14092 G1 VoIP: AudioControl: Endpoint: “Speakers/Headphones ” “Realtek(R) Audio” (HDAUDIO\FUNC_01&VEN_10EC&DEV_0867&SUBSYS_1028086B&REV_1000), cat={DFF21CE1-F70F-11D0-B917-00A0C9223196}, echocat=1
2019/05/29 18:39:31.318 3884 4860 S0 ReadStreamParameters(): streamID=3 type=5 (StreamType_Chat), source=[1234567891,811586809], features=1, compression=2
2019/05/29 18:39:31.343 3884 4860 S0 ReadStreamParameters( ): streamID=4 type=7 (StreamType_VPN), source=[1234567891,811586809], features=1, compression=2
2019/05/29 18:39:31.344 3884 4860 S0 CParticipantManagerBase::CheckAndSubscribe NewStream(): Subscribe stream now streamID=4 type=7 required=1 supported=1
2019/05/29 18:39:31.344 4396 6560 G1 CServerSessionRecorder::AutoStart: AutoStart recording function called and not activated (auto recording of incoming RemoteControl not activated)
2019/05/29 18:39:31.345 3884 4856 S0 CParticipantManagerBase participant DESKTOP (ID [12345678910,123456789]) was added with the role 3
2019/05/29 18:39:31.348 3884 4864 S0 CParticipantManagerBase InteractionDefaults arrived : CInteractionDefaults = (0) [ 0,2, 0,0,2,0,0]
2019/05/29 18:39:31.348 3884 4864 S0 CParticipantManagerBase participant John Doe (ID [1234567891,811586809]) was added with the role 6
2019/05/29 18:39:31.351 12160 11928 D1 CParticipantManagerBase participant DESKTOP (ID [12345678910,123456789]) was added with the role 3
2019/05/29 18:39:31.352 12160 11928 D1 New Participant added in CParticipantManager DESKTOP ([12345678910,123456789])
2019/05/29 18:39:31.352 12160 9416 D1 CParticipantManagerBase participant John Doe (ID [1234567891,8 11586809]) was added with the role 6
2019/05/29 18:39:31.352 12160 9416 D1 New Participant added in CParticipantManager John Doe ([1234567891,811586809])
2019/05/29 18:39: 31.352 4396 7836 G1 CParticipantManagerBase participant DESKTOP (ID [12345678910,123456789]) was added with the role 3
2019/05/29 18:39:31.352 4396 7836 G1 New Part icipant added in CParticipantManager DESKTOP ([12345678910,123456789])
2019/05/29 18:39:31.352 4396 7836 G1 SessionFeatureVoip::HandleEvent: AllowedToSpeak’s new state = 0 2019/05/29 18:39:31.352 4396 7836 G1 SessionStateVoip::SetMicrophoneState: Mic’s new state = 2 / old state = 0 2019/05/29 18:39:31.352 4396 7832 G1 CParticipantManage rBase participant John Doe (ID [1234567891,811586809]) was added with the role 6
2019/05/29 18:39:31.352 4396 7832 G1 New Participant added in CParticipantManager Michael Ryan ([1234567891,811586809])
2019/05/29 18:39:31.352 3884 4860 S0 CPersistentParticipantManager::SendPMSynchronizationComplete 0331B350
2019/05/29 18:39:31.353 4396 7200 G 1 VoIP: Receiver: Participant channel “John Doe (1 295 337 124)” [1234567891,811586809]: VoIPBCommandReceiver: Created for session 123456789
2019/05/29 18:39:31.353 4396 7 200 G1 VoIP: Receiver: Session 123456789: Channel created for participant [1234567891,811586809] called “John Doe (1 295 337 124)” [1234567891,811586809]
2019/05/29 18:39:31 .353 4396 7832 G1 SessionFeatureVoip::HandleEvent: AllowedToSpeak’s new state = 1 2019/05/29 18:39:31.354 12160 12808 D1 SendInfo() executed.
2019/05/29 18:39:31.354 3884 4864 S0 ReadStreamParameters(): streamID=5 type=1 (StreamType_Misc), source=[12345678910,123456789], features=1, compression=2
2019/05/29 18:39:31.355 12160 9416 D1 SendInfo( ) executed.
2019/05/29 18:39:31.356 4396 7844 G1 PrintingDatabaseNotificationHandler::Init: successfully created event Global\tvprint_5d1a0189174747c888f225282aaa59e3
2019/05/29 18:39:31.356 4396 7844 G1 CParticipantManagerBase::CheckAndSubscribeNewStream(): Subscribe stream now streamID=3 type=5 required=1 supported=1
2019/05/29 18:39:31.356 439 6 5620 G1 VoIP: Sender: Added session 123456789. Meeting id is John Doe (1 295 337 124). Our participant id is “DESKTOP (1 102 321 141)” [12345678910,123456789].
2019/05/29 18:39:31.357 4396 5620 G1 VoIP: Sender: Session 123456789: VoIP streams: Participant added: “John Doe (1 295 337 124)” [1234567891,811586809]
2019/05/29 18:39:31.3 57 3884 4860 S0 ReadStreamParameters(): streamID=6 type=26 (StreamType_VoIP_Data), source=[12345678910,123456789], features=1, compression=1
2019/05/29 18:39:31.357 4396 5620 G1 VoIP: Sender: Session 123456789 initialized.
2019/05/29 18:39:31.357 3884 4852 S0 ReadStreamParameters(): streamID=7 type=25 (StreamType_VoIP_Control), source=[11023211 41,123456789], features=1, compression=1
2019/05/29 18:39:31.357 4396 7836 G1 VoIP: Sender: Session 123456789: VoIP streams: We registered VoIPV3 data stream 6
2019/05/29 18: 39:31.357 4396 7836 G1 VoIP: Sender: Session 123456789: VoIP streams: We registered VoIPV3 control stream 7
2019/05/29 18:39:31.357 4396 7836 G1 VoIP: Sender: Session 9483 44754: VoIP streams: We registered all streams of VoIPV3 channel
2019/05/29 18:39:31.365 3884 4860 S0 UDP: sending pings…: (*)
2019/05/29 18:39:31.384 3884 4844 S0 UDP: UHP.PING response received: (*)
2019/05/29 18:39:31.386 3884 4860 S0 CParticipantManagerBase InteractionDefaults arrived : CInteractionDefaults = (0) [ 0,2,0,0,2,0,0]
2019/05/29 18:39:31.387 12160 14136 D1 CParticipantManagerBase InteractionDefaults arrived : CInteractionDefaults = (0) [ 0,2,0,0,2,0,0]
2019/05/29 18:39:31.387 4396 7844 G1 CParticipantManagerBase InteractionDefaults arrived : CInteractionDefaults = (0) [ 0,2,0,0,2,0,0]
2019/05/29 18:39:31.388 3884 4848 S0 UDP: UHP.PING response received: (*)
2019/05/29 18:39:31.397 3884 4844 S0 UDP: UHP.PING response received: (*)
2019/05/29 18:39:31.397 3884 4844 S0 UDP: punching: (*)
2019/05/29 18:39:31.397 3884 4844 S0 UDP: P ingOK.PunchInit: (*)
2019/05/29 18:39:31.410 3884 4860 S0 UDP: UHP.PING response received: (*)
2019/05/29 18:39:31.438 3884 4856 S0 UDP: SendUDPPunches: (*)
2019/05/29 18:39:31.477 3884 4860 S0 UDP: punch received a=185.8.112.71:46630: (*)
2019/05/29 18:39:31.478 3884 4860 S0 UDP: send UDPFLOW_PUNCHRECEIVED: (*)
2019/05/29 18:39:31.478 3884 4860 S0 UDP: SendUDPPunches: (*)
2019/05/29 18:39:31.478 3884 4860 S0 UDP: received punch: (*)
2019/05/29 18:39:31.509 3884 4844 S0 UDP: send UDPFLOW_UDPSENDPOSSI BLE: (*)
2019/05/29 18:39:31.512 3884 4852 S0 UDP: send UDPFLOW_UDPSENDPOSSIBLE: (*)
2019/05/29 18:39:31.514 3884 4856 S0 UDP: send UDPFLOW_MTUTESTRECEIVED (size = 448): (*)
2019/05/29 18:39:31.514 3884 4844 S0 UDP: send UDPFLOW_MTUTESTRECEIVED (size = 1008): (*)
2019/05/29 18:39:31.549 3884 4844 S0 UDP: send UDPFLOW_UDPSENDPOSSIBLE: (*)
2019/05/29 18:39:31.550 3884 4844 S0 UDP: send UDPFLOW_UDPSENDPOSSIBLE: (*)
2019/05/29 18:39:31.553 3884 4844 S0 UDP: UDP prepare switch received: (*)
2019/05/29 18:39:31.553 3884 4844 S0 UDP: create udp connection was successful: (*)
2019/05/29 18:39:31.560 3884 4860 S0 CarrierContainer.SendCarrierSwitch: state=1, carrier=2
2019/05/29 18:39:34.845 3884 4844 S0 ReadStreamParameters(): streamID=8 type=1 (StreamType_Misc), source=[1234567891,811586809], features=1, compression=2
2019/05/29 18:39:34.846 3884 4848 S0 ReadStreamParameters(): streamID=9 type=26 (StreamType_VoIP_Data), source=[1234567891,811586809], features=1, compression=1
2019/05/29 18:39:34.846 3884 4852 S0 Carri erContainer.ProcessCarrierSwitch: state=2, carrier=2
2019/05/29 18:39:34.847 3884 4852 S0 Activating UDP carrier …
2019/05/29 18:39:34.847 3884 4848 S0 ReadStreamParame ters(): streamID=10 type=25 (StreamType_VoIP_Control), source=[1234567891,811586809], features=1, compression=1
2019/05/29 18:39:34.847 3884 4848 S0 ReadStreamParameters(): st reamID=11 type=1 (StreamType_Misc, private), source=[1234567891,811586809], features=1, compression=2
2019/05/29 18:39:34.848 4396 7200 G1 VoIP: Receiver: Participant channel “John Doe (1 295 337 124)” [1234567891,811586809]: VoIPBCommandReceiver: Partner registered VoIPV3 audio stream 9
2019/05/29 18:39:34.848 4396 7200 G1 CParticipantManagerB ase::CheckAndSubscribeNewStream(): Subscribe stream now streamID=9 type=26 required=1 supported=1
2019/05/29 18:39:34.848 4396 7200 G1 VoIP: Receiver: Participant channel “John Doe (1 295 337 124)” [1234567891,811586809]: VoIPBCommandReceiver: We subscribed VoIPV3 audio stream 9
2019/05/29 18:39:34.848 3884 4848 S0 ReadStreamParameters(): strea mID=12 type=24 (StreamType_Clipboard, private), source=[1234567891,811586809], features=1, compression=2
2019/05/29 18:39:34.848 4396 13940 G1 VoIP: Receiver: Participant channel “John Doe (1 295 337 124)” [1234567891,811586809]: VoIPBCommandReceiver: Partner registered VoIPV3 control stream 10
2019/05/29 18:39:34.848 4396 13940 G1 CParticipantManagerBase::CheckAndSubscribeNewStream(): Subscribe stream now streamID=10 type=25 required=1 supported=1
2019/05/29 18:39:34.848 4396 13940 G1 VoIP: Receiver: Participant chann el “John Doe (1 295 337 124)” [1234567891,811586809]: VoIPBCommandReceiver: We subscribed VoIPV3 control stream 10 (waiting for init command)
2019/05/29 18:39:34.849 3884 48 48 S0 ReadStreamParameters(): streamID=13 type=9 (StreamType_DragDrop, private), source=[1234567891,811586809], features=1, compression=2
2019/05/29 18:39:34.849 4396 7844 G1 VoIP: Sender: Session 123456789: VoIP streams: Partner “John Doe (1 295 337 124)” [1234567891,811586809] subscribed VoIPV3 control stream. We have to send an init command.
2 020/02/19 14:39:34.849 3884 4848 S0 ReadStreamParameters(): streamID=14 type=3 (StreamType_Audio), source=[1234567891,811586809], features=1, compression=1
2019/05/29 18:39:34 .849 4396 7844 G1 VoIP: Sender: Session 123456789: VoIP streams: Partners changed subscriptions and so the receiving usage of the VoIPV3 channel changed to 1
2019/05/29 18:39: 34.850 4396 2312 G1 VoIP: Sender: Session-format channel (123456789, V3): Init VoIP channel 2019/05/29 18:39:34.850 4396 2312 G1 VoIP: Sender: Session-format channel (9483 44754, V3): VoIPV3BCommandSender: We sent init command on stream 7
2019/05/29 18:39:34.850 4396 5620 G1 VoIP: Sender: Session-format channel (123456789, V3): Receiving usage b y partners changed to 1
2019/05/29 18:39:34.891 4396 7832 G1!! DataTransceiver: DataTransceiver => DataTransceiverFileBox::HandleEvent: routerInstance is null
2019/05/29 18:39: 34.891 4396 7832 G1 CServerSessionRecorder::AutoStart: AutoStart recording function called and not activated (auto recording of incoming RemoteControl not activated)
2019/05/29 18:39:34.893 4396 7832 G1 CServerThreadInfo unknown commandtype=95
2019/05/29 18:39:34.900 12160 14136 D1 InfoCommandHandlerDesktop::ReceivedInfo: connected to 1234567891, client version is 15.2.2756 , OS=19
2019/05/29 18:39:34.900 4396 7836 G1 ServerThreadInfo connected to 1234567891, client version is 15.2.2756 , OS=19
2019/05/29 18:39:34.90 0 12160 14136 D1 DisplayQuality m=0, bpp=32, q=80, echo=-1, conRating=2, cpu=16848, capacity=96883, RTT=3167485, reliability=1, disable animation=1 remove wallpaper=1
2019/05/29 18:39:34.900 3884 4860 S0 ReadStreamParameters(): streamID=15 type=1 (StreamType_Misc, private), source=[12345678910,123456789], features=1, compression=2
2019/05/29 18:39:34. 901 3884 4852 S0 ReadStreamParameters(): streamID=16 type=2 (StreamType_Screen), source=[12345678910,123456789], features=127, compression=3
2019/05/29 18:39:34.901 3884 4852 S0 ReadStreamParameters(): streamID=17 type=10 (StreamType_ScreenVideo), source=[12345678910,123456789], features=127, compression=1
2019/05/29 18:39:34.901 3884 4852 S0 Rea dStreamParameters(): streamID=18 type=24 (StreamType_Clipboard, private), source=[12345678910,123456789], features=1, compression=2
2019/05/29 18:39:34.901 4396 7844 G1 CServer ThreadInfo::Received_AccessControlSettings: RCAccessControl: RemoteControl=’Allowed’, FileTransfer=’Allowed’, ControlRemoteTV=’Allowed’, SwitchSides=’Allowed’, AllowDisableRemoteIn put=’Allowed’, AllowVPN=’Allowed’, AllowPartnerViewDesktop=’Allowed’, ShareMyFiles=’Allowed’, ShareFilesWithMe=’Allowed’, PrintOnMyPrinters=’Allowed’, PrintOnRemotePrinters=’Allowe d’, SessionRecording=’Allowed’
2019/05/29 18:39:34.901 3884 4852 S0 ReadStreamParameters(): streamID=19 type=9 (StreamType_DragDrop, private), source=[12345678910,123456789], f eatures=1, compression=2
2019/05/29 18:39:34.901 4396 7844 G1 ServerThreadInfo connected to 1234567891, client version is 15.2.2756 , OS=19
2019/05/29 18:39:34.901 4396 784 4 G1 CServerThreadInfo::Received_AccessControlSettings: RCAccessControl: RemoteControl=’Allowed’, FileTransfer=’Allowed’, ControlRemoteTV=’Allowed’, SwitchSides=’Allowed’, AllowD isableRemoteInput=’Allowed’, AllowVPN=’Allowed’, AllowPartnerViewDesktop=’Allowed’, ShareMyFiles=’Allowed’, ShareFilesWithMe=’Allowed’, PrintOnMyPrinters=’Allowed’, PrintOnRemotePr inters=’Allowed’, SessionRecording=’Allowed’
2019/05/29 18:39:34.902 4396 7832 G1 MachineHooks: Start DragInterceptor
2019/05/29 18:39:34.903 8028 8032 H32 tv_w32.exe: Dra gInterceptor: Starting Up
2019/05/29 18:39:34.903 8028 8032 H32 tv_w32.exe: DragInterceptor: started
2019/05/29 18:39:34.903 8036 8040 H64 tv_x64.exe: DragInterceptor: Star ting Up
2019/05/29 18:39:34.903 8036 8040 H64 tv_x64.exe: DragInterceptor: started
2019/05/29 18:39:34.906 8036 8040 H64 tv_x64.exe: Starting Update Hook
2019/05/29 18:39: 34.906 8028 8032 H32 tv_w32.exe: Starting Update Hook
2019/05/29 18:39:34.909 12160 1672 D1 runLLHook(): ChangeThreadDesktop(): SetThreadDesktop to default successful
2019/05/29 18:39:34.966 12160 12808 D1 GuiWindowCheckBase::CheckForValidGUIWindows() ok
2019/05/29 18:39:35.007 12160 7556 D1 CGrabMethodDuplication::Initialize() m_State=1
2019/05/29 18:39:35.009 12160 7556 D1 first fullscreen grab time in ms = 1
2019/05/29 18:39:35.013 12160 7556 D1! Desktop: Grabbed screen is black.
2019/05/29 18:39:35.015 12160 2228 D1 Desktop grab succeeded.
2019/05/29 18:39:35.035 12160 9416 D1 ConnectionAccessControl => RCAccessControl: RemoteControl=’Allowed’, FileTransfer=’Allowed’, ControlRem oteTV=’Allowed’, SwitchSides=’Allowed’, AllowDisableRemoteInput=’Allowed’, AllowVPN=’Allowed’, AllowPartnerViewDesktop=’Allowed’, ShareMyFiles=’Allowed’, ShareFilesWithMe=’Allowed’ , PrintOnMyPrinters=’Allowed’, PrintOnRemotePrinters=’Allowed’, SessionRecording=’Allowed’
2019/05/29 18:39:35.035 12160 9416 D1 InfoCommandHandlerDesktop::ReceivedInfo: connected to 1234567891, client version is 15.2.2756 , OS=19
2019/05/29 18:39:35.035 12160 9416 D1 DisplayQuality m=0, bpp=8, q=60, echo=-1, conRating=0, cpu=16848, capacity=0, RTT=0 , reliability=2, disable animation=1 remove wallpaper=1
2019/05/29 18:39:35.074 12160 9416 D1 ConnectionAccessControl => RCAccessControl: RemoteControl=’Allowed’, FileTransfer= ‘Allowed’, ControlRemoteTV=’Allowed’, SwitchSides=’Allowed’, AllowDisableRemoteInput=’Allowed’, AllowVPN=’Allowed’, AllowPartnerViewDesktop=’Allowed’, ShareMyFiles=’Allowed’, Share FilesWithMe=’Allowed’, PrintOnMyPrinters=’Allowed’, PrintOnRemotePrinters=’Allowed’, SessionRecording=’Allowed’
2019/05/29 18:39:35.074 12160 9416 D1 StreamControlDesktop::Stre amRegistered: Registered Clipboard Stream (00000012)
2019/05/29 18:39:35.074 12160 9416 D1 StreamControlDesktop::StreamRegistered: Registered Drag&Drop Stream (00000013)
2019/05/29 18:39:35.074 12160 9416 D1 tvdesktop::MachineControlDesktop::Received_AutoLockOnSessionEnd – received lockWSAfterSessionEnd = false, cp = 05F36320, this = 03427FAC
2019/05/29 18:39:35.074 12160 9416 D1 WorkstationLocker::SetAutoLockOnSessionEnd() TVSessionID: 123456789 lock: 0 can lock: 1
2019/05/29 18:39:35.074 12160 9416 D1 tvdesktop::MachineControlDesktop::Received_AutoLockOnSessionEnd – received lockWSAfterSessionEnd = false, cp = 05F36320, this = 03427FAC
2019/05/29 18:39:35.074 12160 9416 D1 WorkstationLocke r::SetAutoLockOnSessionEnd() TVSessionID: 123456789 lock: 0 can lock: 1
2019/05/29 18:39:35.076 12160 7556 D1 Desktop: Grabbed screen is ok.
2019/05/29 18:39:35.078 12160 1241 6 D1 Desktopencoding: Tiles, buffer depth=32bpp, transmitted color depth=4bpc, features=127
2019/05/29 18:39:35.085 12160 12416 D1 Tile caching activated
2019/05/29 18:39:35. 089 12160 12416 D1 CScreenStreamSender::SendDisplayParams() 1920x1080x8 on 16 to 3 2019/05/29 18:39:35.090 3884 4852 S0 StreamCompressor[32]: change compression to 3 for str eam 16
2019/05/29 18:39:35.090 4396 6560 G1 Display buffers allocated: width = 1920, height = 1080, bpp = 8
2019/05/29 18:39:35.090 4396 6560 G1 Display buffers allocated : width = 1920, height = 1080, bpp = 32
2019/05/29 18:39:35.094 4396 7844 G1 RA: RemoteAudioSender get started
2019/05/29 18:39:35.094 4396 7844 G1 RA: Control stream wil l get created
2019/05/29 18:39:35.095 3884 4844 S0 ReadStreamParameters(): streamID=20 type=12 (StreamType_RemoteAudioControl), source=[12345678910,123456789], features=1, comp ression=2
2019/05/29 18:39:35.095 4396 7832 G1 RA: Controlstream succesfull registered with id 20
2019/05/29 18:39:35.111 12160 14136 D1 Max cache size: 97.07 MB for stream 16
2019/05/29 18:39:35.132 4396 7844 G1 RA: quality suggestion by capacity measurement: (350)
2019/05/29 18:39:35.132 4396 7844 G1 RA: Audio quality set to 32000
2019/05/29 18:39:35.132 4396 7844 G1 RA: Control stream will get created
2019/05/29 18:39:35.132 3884 4860 S0! StreamManagerOutgoing::RemoveStream: Could not find stream 20
2019/05/29 18:39:35.132 3884 4852 S0 ReadStreamParameters(): streamID=21 type=12 (StreamType_RemoteAudioControl), source=[12345678910,123456789], features=1, compression=2
2019/05/29 18:39:35.132 4396 7844 G1 RA: Controlstream succesfull registered with id 21
2019/05/29 18:39:35.176 12160 2228 D1 Received cache version 2 from [1234567891,811586809]
2019/05/29 18:39:35.236 12160 12808 D1 Caching activated, partners version is 2, own version is 2
2019/05/29 18:39:35.373 12160 11928 D1 Max cache size: 93.87 MB for stream 16
2019/05/29 18:39:36.539 3884 4852 S0 UdpOutputTracker(): max 0 effectiveSent 206424 RTT 1656588
2019/05/29 18:39:36.920 7212 7216 H64 explorer.exe: ResumeAllThreads: resu med 74 threads, max count 74 2019/05/29 18:39:36.920 7212 7216 H64 explorer.exe: DragInterceptor: interception successful (new interface) 2019/05/29 18:39:47.036 12160 9416 D 1 DisplayQuality m=0, bpp=8, q=60, echo=31, conRating=0, cpu=16848, capacity=0, RTT=32934, reliability=2, disable animation=1 remove wallpaper=1
2019/05/29 18:39:51.655 4396 7 832 G1 RA: quality suggestion by capacity measurement: (40564)
2019/05/29 18:39:51.655 4396 7832 G1 RA: Audio quality set to 120000
2019/05/29 18:39:51.655 4396 1656 G1 RA: Stopping capturing thread
2019/05/29 18:39:51.655 4396 1656 G1 RA: LoopbackCapture with 1247 discon events within 16469 ms
2019/05/29 18:39:51.655 4396 7640 G1 RA: R emoteAudioSender stopped
2019/05/29 18:39:51.655 4396 7832 G1 RA: LoopBackCapture stopped
2019/05/29 18:39:51.658 4396 7832 G1 RA: RemoteAudioSender stopping…
2019/05/29 18:39:51.658 4396 7832 G1 RA: Control stream will get created
2019/05/29 18:39:51.658 3884 4848 S0 ReadStreamParameters(): streamID=22 type=12 (StreamType_RemoteAudioControl), source=[12345678910,123456789], features=1, compression=2
2019/05/29 18:39:51.658 3884 4856 S0! StreamManagerOutgoing::RemoveStream: Could not find stream 21 2019/05/29 18:39:51.658 4396 7832 G1 RA: Controlstream succesfull registered with id 22
2019/05/29 18:40:00.906 3884 4864 S0! UdpConnection[349]: UDP statistics: prp=112 scf=14 nb=91
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0330 123 4448 or via email on enquiries@athenaforensics.co.uk, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.
https://athenaforensics.co.uk/service/mobile-phone-forensic-experts/
https://athenaforensics.co.uk/service/computer-forensic-experts/
