Contact: 0330 123 4448
Email: enquiries@athenaforensics.co.uk

Athena Forensics

Computer and Mobile Phone Forensic Expert Investigations and Examinations

Teamviewer Forensics

· ·

What is TeamViewer?

TeamViewer is an application that allows the user of one computer to connect and remotely use another computer, as if they were sat at it, via the Internet.

The software can be downloaded from here https://www.teamviewer.com/en/download/windows/ for personal use for free, with limitations such as a connection time limit, or it can be purchased providing the user with fewer limitations, including for business use, as the cost increases.

The software is also available on a range of different platforms including Windows, Windows Mobile, Linux, Mac OSX, Android and Apple iOS.

TeamViewer Forensics

When using TeamViewer, the access to the remote computer is gained using the 10 digit ID number and password of that computer and knowledge of those is required before the computer can be used.

However, the capability of TeamViewer and other such remote access software provides the potential for a user to gain complete use of a computer from any location via the Internet which can provide various circumstances where that capability can be misused and private or financial information can be obtained.

Through the use of digital forensics techniques, it can be possible to identify what activity occurred during any remote connection sessions, including any files that were transferred and the IP address and other details that may help identify the connecting computer.

TeamViewer Forensics – Data Investigation

When conducting a forensic investigation into a computer where TeamViewer is involved, data is stored to both computers, the computer being accessed and the computer conducting the access.

By default, the TeamViewer application is stored to the Program Files\Teamviewer directory and the activity logs are also recorded within that path.

The file named Connections_Incoming.txt maintains a record of all incoming remote connections, which is stored in the following format:

  • TeamViewer ID
  • Name of Connecting Computer
  • Time/Date of Start of the Activity
  • Time/Date of the End of the Activity
  • Profile of the Target Computer
  • Type of Connection
  • Connection ID

Once a specific connection has been identified within the Connections_Incoming.txt file, it is possible to consider further details of the actions and activities undertaken by examining the content of the TeamViewer logfiles that are also location within the default program installation folder.

The information within the logfiles includes the version of TeamViewer used, the operating system and the IP address of the connecting computer.

If attempting to identify evidence of remote access either within a TeamViewer log file or within the deleted areas of a drive searches for the following terms may assist:

CreatePassiveSession

Negotiating session encryption

incoming remote control in sessions

CommandHandlerRouting

The following text is the content of a TeamViewer13 Logfile from a target computer that had been accessed remotely by another

2019/05/29 18:39:29.702  3884  4860 S0   Activating Router carrier 

2019/05/29 18:39:29.702  3884  4860 S0   CommandHandlerRouting[32]::CreatePassiveSession(): incoming session via  GB-LON-IBM-R010.teamviewer.com, protocol Tcp 

2019/05/29 18:39:29.818  3884  4860 S0   Negotiating session encryption: client hello received from 1234567891, RSA key length = 2048  

2019/05/29 18:39:29.818  3884  4860 S0   Negotiating session encryption: client hello received from 1234567891, RSA key length = 2048 

2019/05/29 18:39:29.833  3884  4856 S0   Negotiating session encryption: server hello sent 

2019/05/29 18:39:29.849  3884  4848 S0   CToken::GetSystemToken() set session 1 

2019/05/29 18:39:29.865  3884  4848 S0   ProcessCo ntrolBase[4]: Start Desktop process in session 1, pid 12160 

2019/05/29 18:39:29.871  3884  4848 S0!  GUIProcessControl::VerifyGuiRunningInSessionInternal: incoming connection for  session 1. User desktop-[user name]is logged in, but no GUI running. Retry count: 0. 

2019/05/29 18:39:30.003  3884  4848 S0   ConnectionGuard: incoming remote control in sessio ns: 1(1) 

2019/05/29 18:39:30.003  4396  7848 G1   Connection incoming, sessionID = 123456789 

2019/05/29 18:39:30.075  3884  4860 S0   CAcceptServer::HandleAccept: new connection  from 121.1.1.1:12345 

2019/05/29 18:39:30.079  4396  7848 G1   Received Control_InitIPC processtype=4 

2019/05/29 18:39:30.088  3884  4856 S0   ProcessControlBase[4]::ProcessConnected: Process pid 12160 in session 1 connected 

2019/05/29 18:39:29.871 12160  5064 D1   Logger started. 

2019/05/29 18:39:29.987 12160  5064 D1   TeamViewerDesktop started, PID=121 60 

2019/05/29 18:39:29.987 12160  5064 D1   Monitors: Generic PnP Monitor, \\.\DISPLAY1, 1920×1080 (0,0), flags=3, dpi=96 

2019/05/29 18:39:29.987 12160 12744 D1   WindowsDesktopS pecificThread::Init(default): ChangeThreadDesktop(): SetThreadDesktop to default successful 

2019/05/29 18:39:29.987 12160  8408 D1   WindowsDesktopSpecificThread::Init(winlogon):  ChangeThreadDesktop(): SetThreadDesktop to winlogon successful 

2019/05/29 18:39:30.003 12160  5064 D1   MachineHooks: Initialized Shm 

2019/05/29 18:39:30.003 12160  5064 D1   Mac hineHooks: refcount = 2 

2019/05/29 18:39:30.003 12160  5064 D1   MachineHooks: x64 Machine detected 

2019/05/29 18:39:30.003 12160  5064 D1   RemoveLoginScreenWallpaper: inputDesk topName=Default 

2019/05/29 18:39:30.067 12160  5064 D1   Default keyboard layout: 08090409 

2019/05/29 18:39:30.067 12160 5064 D1 tvdesktop::BlackScreen::BlackScreen – state B SCR_OFF; m_showInstallMonitorDialog 1 

2019/05/29 18:39:30.067 12160  5064 D1 tvdesktop::BlackScreen::BlackScrState – moving from BSCR_OFF —> BSCR_OFF 

2019/05/29 18:39:30.067  12160  5064 D1 tvdesktop::BlackScreen::RegisterChangeEvent 

2019/05/29 18:39:30.067 12160  5064 D1 InterProcessBase::StartTcpCommunicationInternal(): setting m_NetworkConnect or to new TCP connector 

2019/05/29 18:39:30.074 12160  5064 D1   Opening local TCP connection to 121.1.1.1:1234 

2019/05/29 18:39:30.074 12160  2228 D1   Local TCP connection esta blished 

2019/05/29 18:39:30.082 12160 11928 D1   SettingsIPCReception receive a SYNCHRONISE Settings command : UserSettings 

2019/05/29 18:39:30.084 12160 11928 D1   Received Cont rol_InitIPC_Response processtype=1 

2019/05/29 18:39:30.084 12160 11928 D1   Received Control_InitIPC_Response runningProcesses=7 

2019/05/29 18:39:30.087 12160  2228 D1   Received  Control_InitIPC_Response processtype=2 

2019/05/29 18:39:30.087 12160  2228 D1   Control_InitIPC_Response: all processes 7 completely initialized 

2019/05/29 18:39:30.121 12160  5 064 D1   InterProcessBase::SecureNetwork created 

2019/05/29 18:39:30.122 12160  5064 D1 tvshared::WindowsSessionStateManager::SetUserLoggedIn(05EF0818): changed to: 1 

2019/05/29 18:39:30.127 12160  3972 D1 tvshared::WindowsSessionStateManager::SetUserLoggedIn(05EF0818): changed to: 1 

2019/05/29 18:39:30.127 12160  2228 D1!! InterProcessBase::ProcessCo ntrolCommand Command 40 not handled 

2019/05/29 18:39:30.127 12160 14136 D1   Connection incoming, sessionID = 123456789 

2019/05/29 18:39:30.127 12160  6948 D1   LoginDesktopWindo wImpl::GuiThreadFunction(): ChangeThreadDesktop(): SetThreadDesktop to winlogon successful

2019/05/29 18:39:30.127 12160 14136 D1 tvshared::WindowsSessionStateManager::SetUserLo ggedIn(05EF0818): changed to: 1 

2019/05/29 18:39:30.127 12160 14136 D1 tvshared::WindowsSessionStateManager::SetSessionLocked: 05EF0818 : Unlocked 

2019/05/29 18:39:30.127 12160  13208 D1   CLogin::run() 

2019/05/29 18:39:30.127 12160 14136 D1   IpcRouterClock: received router time: 20190529T143929.607821 

2019/05/29 18:39:30.127 12160 13208 D1   CLogin::N egotiateVersionServer() 

2019/05/29 18:39:30.127  3884  4852 S0   LegacyDataCmdSender[32]::SendAllData(): encryption not ready! 

2019/05/29 18:39:30.142  3884  4856 S0   Negotiating session encryption: client handshake received 

2019/05/29 18:39:30.142  3884  4856 S0   Negotiating session encryption: client handshake received 

2019/05/29 18:39:30.148  3884   4860 S0   Negotiating session encryption: server handshake sent, encryption established with AES key length 256 

2019/05/29 18:39:30.819 12160 13208 D1   CLoginServer::CheckIfConne ctionIsAllowed() 

2019/05/29 18:39:30.820 12160 13208 D1   LoginServer::runServer: using condition set: {} 

2019/05/29 18:39:30.821 12160 13208 D1   CLoginServer::AuthenticateServe r() 

2019/05/29 18:39:31.064 12160 13208 D1!! CAuthenticationSRP_Passive, Step_Receive_VerifyClientSecret: clientSecret!=serverSecret 

2019/05/29 18:39:31.064 12160 13208 D1 AuthenticationPasswordLogin_Passive::RunAuthenticationMethod: authentication using dynamic password was denied 

2019/05/29 18:39:31.213 12160 13208 D1 AuthenticationPasswordLogin_Passive::RunAuthenticationMethod: authentication using fixed password was successful 

2019/05/29 18:39:31.270  3884  4864 S0   UDP: ProcessHandshake: (*) 

2019/05/29 18:39:31.271  388 4  4864 S0   Initializing transmission control v2 

2019/05/29 18:39:31.272  3884  4844 S0   UDP: ProcessHandshake: (*) 

2019/05/29 18:39:31.272  3884  4844 S0   Initializing transm ission control v2 

2019/05/29 18:39:31.275  3884  4844 S0   UDP: no transition from state AllOk on event struct tvnetwork::FirstHandshakeHandled: (*) 

2019/05/29 18:39:31.275  3884   4844 S0   UDP: no transition from state HandlingPingsAndFlows on event struct tvnetwork::FirstHandshakeHandled: (*) 

2019/05/29 18:39:31.275  3884  4844 S0   UDP: no transition f rom state WaitForUdpRequest on event struct tvnetwork::FirstHandshakeHandled: (*) 

2019/05/29 18:39:31.276 12160 13208 D1   CLoginServer::runServer: ConnectionMode == 1 

2019/05/29 18:39:31.276 12160 13208 D1   SessionManagerDesktop::ChangeToServermode: creating session with TVSessionID = 123456789 

2019/05/29 18:39:31.277 12160 13208 D1   Default keyboard layout: 08090409 

2019/05/29 18:39:31.279 12160 13208 D1   WorkstationLockerWin::ShouldAutoLockWorkstation: Autolock: no, Local user logged-in: 1, window session locked: 0, secure screen saver running: no disabled by policy: 0 

2019/05/29 18:39:31.279 12160 13208 D1   WorkstationLocker::SetInitialSessionLockState() TVSessionID: 123456789 auto lock: 0 

2019/05/29 18:39:31.279 12160 13208 D1   WindowObserver::SessionStart: -1; type: 1 

2019/05/29 18:39:31.279  3884  4844 S0   PseudoRoutableCmdHandler[32]::StartPseudoRouter(): PseudoRoute r has been started 

2019/05/29 18:39:31.279  3884  4844 S0   CPersistentParticipantManager::AddParticipant: [12345678910,123456789] type=3 name=DESKTOP 

2019/05/29 18:39:31. 280  3884  4852 S0   CPersistentParticipantManager::AddParticipant: [1234567891,811586809] type=6 name=John Doe 

2019/05/29 18:39:31.280  3884  4844 S0   CPersistentParticipant Manager::AddParticipant: [12345678910,123456789] type=3 name=DESKTOP 

2019/05/29 18:39:31.280 12160  7556 D1   DesktopThread started, number of Cores: 6 

2019/05/29 18:39:31 .280 12160 13208 D1   SessionManagerDesktop::ReportSession(): report incoming session -> isManagedDevice: 0; reportIncomingSession setting: 0 

2019/05/29 18:39:31.280 12160 13208 D 1   CLogin::run() leave 

2019/05/29 18:39:31.280 12160 13208 D1   tvhelper::CThread::weakJoin – thread {Not-any-thread} has succesfully detached itself 

2019/05/29 18:39:31.281  38 84  4852 S0   ReadStreamParameters(): streamID=1 type=5 (StreamType_Chat), source=[12345678910,123456789], features=1, compression=2 

2019/05/29 18:39:31.282  3884  4852 S0   ReadSt reamParameters(): streamID=2 type=7 (StreamType_VPN), source=[12345678910,123456789], features=1, compression=2 

2019/05/29 18:39:31.291  4396  7832 G1   VoIP: using pipeline factor y async = 1 

2019/05/29 18:39:31.291  4396  7832 G1   VoIP: VoIPCentral: CreateComponentsAndStartThreads start 

2019/05/29 18:39:31.291  4396  7832 G1   VoIP: using pipeline factor y async = 1 

2019/05/29 18:39:31.292  4396  7832 G1   VoIP: Receiver: Audio pipeline: Building pipeline finished 

2019/05/29 18:39:31.292  4396  7832 G1   VoIP: Receiver: Audio pip eline: VoiceReceiverAudioPipeline RegisterPlaybackDataObserver 

2019/05/29 18:39:31.292  4396  7832 G1   VoIP: using pipeline factory async = 1 

2019/05/29 18:39:31.292  4396  5620  G1   VoiceSenderAudioPipeline: Building pipeline started 

2019/05/29 18:39:31.292  4396  7832 G1   VoIP: VoIPCentral: CreateComponentsAndStartThreads end 

2019/05/29 18:39:31.292   4396 13940 G1   VoIP: Receiver: Audio pipeline: StartTicking called 

2019/05/29 18:39:31.292  4396 13940 G1   VoIP: Receiver: ****** Playback status changed to VoiceReceiverPlayba ckUnavailable ****** 

2019/05/29 18:39:31.292  4396  2312 G1   RebuildingAutoVoiceCapturerWorkingClass: Data streaming activity changed to 0 

2019/05/29 18:39:31.292  4396  2312 G1    VoiceSenderAudioPipeline: RebuildingAutoVoiceCapturer: Tick streaming activity changed to 0 

2019/05/29 18:39:31.293  4396  5620 G1   VoiceSenderAudioPipeline: Building pipeline  finished 

2019/05/29 18:39:31.293  4396  5620 G1   CAudCodecSpeex:: fpp is 4  

2019/05/29 18:39:31.294  4396  5620 G1   VoIP: Sender: Initialized 

2019/05/29 18:39:31.294  4396  2 312 G1   VoIP: Sender: Audio pipeline: StartTicking called 

2019/05/29 18:39:31.294  4396  5620 G1!! VoIP: Sender: Audio pipeline: RebuildingAutoVoiceCapturer: VoIPAudioControlAdap terCapturing not set! 

2019/05/29 18:39:31.294  4396  7832 G1   RA: Creating audio server 

2019/05/29 18:39:31.294  4396  7832 G1   RA: quality suggestion by capacity measurement:  (350) 

2019/05/29 18:39:31.294  4396  7832 G1   RA: Audio quality set to 120000 

2019/05/29 18:39:31.296  4396  7200 G1   VoIP: Receiver: Added session 123456789. Meeting id is -.  Our participant id is “1 123 456 789” [12345678910,123456789]. 

2019/05/29 18:39:31.301  4396 14092 G1   VoIP: AudioControl: Available Rendering endpoints: “Soundcard Speakers/Headp hones (Realtek(R) Audio)”, “Standard playback device”, “Default Communication Device”,  

2019/05/29 18:39:31.301  4396 14092 G1   VoIP: AudioControl: Endpoint: “Speakers/Headphones ” “Realtek(R) Audio” (HDAUDIO\FUNC_01&VEN_10EC&DEV_0867&SUBSYS_1028086B&REV_1000), cat={DFF21CE1-F70F-11D0-B917-00A0C9223196}, echocat=1 

2019/05/29 18:39:31.318  3884  4860 S0   ReadStreamParameters(): streamID=3 type=5 (StreamType_Chat), source=[1234567891,811586809], features=1, compression=2 

2019/05/29 18:39:31.343  3884  4860 S0   ReadStreamParameters( ): streamID=4 type=7 (StreamType_VPN), source=[1234567891,811586809], features=1, compression=2 

2019/05/29 18:39:31.344  3884  4860 S0   CParticipantManagerBase::CheckAndSubscribe NewStream(): Subscribe stream now streamID=4 type=7 required=1 supported=1 

2019/05/29 18:39:31.344  4396  6560 G1   CServerSessionRecorder::AutoStart: AutoStart recording function  called and not activated (auto recording of incoming RemoteControl not activated) 

2019/05/29 18:39:31.345  3884  4856 S0   CParticipantManagerBase participant DESKTOP (ID  [12345678910,123456789]) was added with the role 3 

2019/05/29 18:39:31.348  3884  4864 S0   CParticipantManagerBase InteractionDefaults arrived : CInteractionDefaults = (0) [ 0,2, 0,0,2,0,0] 

2019/05/29 18:39:31.348  3884  4864 S0   CParticipantManagerBase participant John Doe (ID [1234567891,811586809]) was added with the role 6 

2019/05/29 18:39:31.351  12160 11928 D1   CParticipantManagerBase participant DESKTOP (ID [12345678910,123456789]) was added with the role 3 

2019/05/29 18:39:31.352 12160 11928 D1   New Participant added in CParticipantManager DESKTOP ([12345678910,123456789]) 

2019/05/29 18:39:31.352 12160  9416 D1   CParticipantManagerBase participant John Doe (ID [1234567891,8 11586809]) was added with the role 6 

2019/05/29 18:39:31.352 12160  9416 D1   New Participant added in CParticipantManager John Doe ([1234567891,811586809]) 

2019/05/29 18:39: 31.352  4396  7836 G1   CParticipantManagerBase participant DESKTOP (ID [12345678910,123456789]) was added with the role 3 

2019/05/29 18:39:31.352  4396  7836 G1   New Part icipant added in CParticipantManager DESKTOP ([12345678910,123456789]) 

2019/05/29 18:39:31.352  4396  7836 G1   SessionFeatureVoip::HandleEvent: AllowedToSpeak’s new state  = 0  2019/05/29 18:39:31.352  4396  7836 G1   SessionStateVoip::SetMicrophoneState: Mic’s new state = 2 / old state = 0  2019/05/29 18:39:31.352  4396  7832 G1   CParticipantManage rBase participant John Doe (ID [1234567891,811586809]) was added with the role 6 

2019/05/29 18:39:31.352  4396  7832 G1   New Participant added in CParticipantManager Michael  Ryan ([1234567891,811586809]) 

2019/05/29 18:39:31.352  3884  4860 S0   CPersistentParticipantManager::SendPMSynchronizationComplete 0331B350

2019/05/29 18:39:31.353  4396  7200 G 1   VoIP: Receiver: Participant channel “John Doe (1 295 337 124)” [1234567891,811586809]: VoIPBCommandReceiver: Created for session 123456789 

2019/05/29 18:39:31.353  4396  7 200 G1   VoIP: Receiver: Session 123456789: Channel created for participant [1234567891,811586809] called “John Doe (1 295 337 124)” [1234567891,811586809] 

2019/05/29 18:39:31 .353  4396  7832 G1   SessionFeatureVoip::HandleEvent: AllowedToSpeak’s new state = 1  2019/05/29 18:39:31.354 12160 12808 D1   SendInfo() executed. 

2019/05/29 18:39:31.354  3884   4864 S0   ReadStreamParameters(): streamID=5 type=1 (StreamType_Misc), source=[12345678910,123456789], features=1, compression=2 

2019/05/29 18:39:31.355 12160  9416 D1   SendInfo( ) executed. 

2019/05/29 18:39:31.356  4396  7844 G1   PrintingDatabaseNotificationHandler::Init: successfully created event Global\tvprint_5d1a0189174747c888f225282aaa59e3 

2019/05/29 18:39:31.356  4396  7844 G1   CParticipantManagerBase::CheckAndSubscribeNewStream(): Subscribe stream now streamID=3 type=5 required=1 supported=1 

2019/05/29 18:39:31.356  439 6  5620 G1   VoIP: Sender: Added session 123456789. Meeting id is John Doe (1 295 337 124). Our participant id is “DESKTOP (1 102 321 141)” [12345678910,123456789]. 

2019/05/29 18:39:31.357  4396  5620 G1   VoIP: Sender: Session 123456789: VoIP streams: Participant added: “John Doe (1 295 337 124)” [1234567891,811586809] 

2019/05/29 18:39:31.3 57  3884  4860 S0   ReadStreamParameters(): streamID=6 type=26 (StreamType_VoIP_Data), source=[12345678910,123456789], features=1, compression=1 

2019/05/29 18:39:31.357  4396  5620  G1   VoIP: Sender: Session 123456789 initialized.  

2019/05/29 18:39:31.357  3884  4852 S0   ReadStreamParameters(): streamID=7 type=25 (StreamType_VoIP_Control), source=[11023211 41,123456789], features=1, compression=1 

2019/05/29 18:39:31.357  4396  7836 G1   VoIP: Sender: Session 123456789: VoIP streams: We registered VoIPV3 data stream 6 

2019/05/29 18: 39:31.357  4396  7836 G1   VoIP: Sender: Session 123456789: VoIP streams: We registered VoIPV3 control stream 7 

2019/05/29 18:39:31.357  4396  7836 G1   VoIP: Sender: Session 9483 44754: VoIP streams: We registered all streams of VoIPV3 channel 

2019/05/29 18:39:31.365  3884  4860 S0   UDP: sending pings…: (*) 

2019/05/29 18:39:31.384  3884  4844 S0   UDP:  UHP.PING response received: (*) 

2019/05/29 18:39:31.386  3884  4860 S0   CParticipantManagerBase InteractionDefaults arrived : CInteractionDefaults = (0) [ 0,2,0,0,2,0,0] 

2019/05/29 18:39:31.387 12160 14136 D1   CParticipantManagerBase InteractionDefaults arrived : CInteractionDefaults = (0) [ 0,2,0,0,2,0,0] 

2019/05/29 18:39:31.387  4396  7844 G1   CParticipantManagerBase InteractionDefaults arrived : CInteractionDefaults = (0) [ 0,2,0,0,2,0,0] 

2019/05/29 18:39:31.388  3884  4848 S0   UDP: UHP.PING response received: (*) 

2019/05/29 18:39:31.397  3884  4844 S0   UDP: UHP.PING response received: (*) 

2019/05/29 18:39:31.397  3884  4844 S0   UDP: punching: (*) 

2019/05/29 18:39:31.397  3884  4844 S0   UDP: P ingOK.PunchInit: (*) 

2019/05/29 18:39:31.410  3884  4860 S0   UDP: UHP.PING response received: (*) 

2019/05/29 18:39:31.438  3884  4856 S0   UDP: SendUDPPunches: (*) 

2019/05/29 18:39:31.477  3884  4860 S0   UDP: punch received a=185.8.112.71:46630: (*) 

2019/05/29 18:39:31.478  3884  4860 S0   UDP: send UDPFLOW_PUNCHRECEIVED: (*) 

2019/05/29 18:39:31.478   3884  4860 S0   UDP: SendUDPPunches: (*) 

2019/05/29 18:39:31.478  3884  4860 S0   UDP: received punch: (*) 

2019/05/29 18:39:31.509  3884  4844 S0   UDP: send UDPFLOW_UDPSENDPOSSI BLE: (*) 

2019/05/29 18:39:31.512  3884  4852 S0   UDP: send UDPFLOW_UDPSENDPOSSIBLE: (*) 

2019/05/29 18:39:31.514  3884  4856 S0   UDP: send UDPFLOW_MTUTESTRECEIVED (size = 448):  (*) 

2019/05/29 18:39:31.514  3884  4844 S0   UDP: send UDPFLOW_MTUTESTRECEIVED (size = 1008): (*) 

2019/05/29 18:39:31.549  3884  4844 S0   UDP: send UDPFLOW_UDPSENDPOSSIBLE: (*)  

2019/05/29 18:39:31.550  3884  4844 S0   UDP: send UDPFLOW_UDPSENDPOSSIBLE: (*) 

2019/05/29 18:39:31.553  3884  4844 S0   UDP: UDP prepare switch received: (*) 

2019/05/29 18:39:31.553  3884  4844 S0   UDP: create udp connection was successful: (*)

2019/05/29 18:39:31.560  3884  4860 S0   CarrierContainer.SendCarrierSwitch: state=1, carrier=2 

2019/05/29 18:39:34.845 3884 4844 S0 ReadStreamParameters(): streamID=8 type=1 (StreamType_Misc), source=[1234567891,811586809], features=1, compression=2 

2019/05/29 18:39:34.846 3884 4848 S0 ReadStreamParameters(): streamID=9 type=26 (StreamType_VoIP_Data), source=[1234567891,811586809], features=1, compression=1 

2019/05/29 18:39:34.846  3884  4852 S0   Carri erContainer.ProcessCarrierSwitch: state=2, carrier=2 

2019/05/29 18:39:34.847  3884  4852 S0   Activating UDP carrier … 

2019/05/29 18:39:34.847  3884  4848 S0   ReadStreamParame ters(): streamID=10 type=25 (StreamType_VoIP_Control), source=[1234567891,811586809], features=1, compression=1 

2019/05/29 18:39:34.847  3884  4848 S0   ReadStreamParameters(): st reamID=11 type=1 (StreamType_Misc, private), source=[1234567891,811586809], features=1, compression=2 

2019/05/29 18:39:34.848  4396  7200 G1   VoIP: Receiver: Participant channel  “John Doe (1 295 337 124)” [1234567891,811586809]: VoIPBCommandReceiver: Partner registered VoIPV3 audio stream 9 

2019/05/29 18:39:34.848  4396  7200 G1   CParticipantManagerB ase::CheckAndSubscribeNewStream(): Subscribe stream now streamID=9 type=26 required=1 supported=1 

2019/05/29 18:39:34.848  4396  7200 G1   VoIP: Receiver: Participant channel “John Doe (1 295 337 124)” [1234567891,811586809]: VoIPBCommandReceiver: We subscribed VoIPV3 audio stream 9 

2019/05/29 18:39:34.848  3884  4848 S0   ReadStreamParameters(): strea mID=12 type=24 (StreamType_Clipboard, private), source=[1234567891,811586809], features=1, compression=2 

2019/05/29 18:39:34.848  4396 13940 G1   VoIP: Receiver: Participant channel “John Doe (1 295 337 124)” [1234567891,811586809]: VoIPBCommandReceiver: Partner registered VoIPV3 control stream 10 

2019/05/29 18:39:34.848  4396 13940 G1   CParticipantManagerBase::CheckAndSubscribeNewStream(): Subscribe stream now streamID=10 type=25 required=1 supported=1 

2019/05/29 18:39:34.848  4396 13940 G1   VoIP: Receiver: Participant chann el “John Doe (1 295 337 124)” [1234567891,811586809]: VoIPBCommandReceiver: We subscribed VoIPV3 control stream 10 (waiting for init command) 

2019/05/29 18:39:34.849  3884  48 48 S0   ReadStreamParameters(): streamID=13 type=9 (StreamType_DragDrop, private), source=[1234567891,811586809], features=1, compression=2 

2019/05/29 18:39:34.849  4396  7844 G1    VoIP: Sender: Session 123456789: VoIP streams: Partner “John Doe (1 295 337 124)” [1234567891,811586809] subscribed VoIPV3 control stream. We have to send an init command. 

2 020/02/19 14:39:34.849  3884  4848 S0   ReadStreamParameters(): streamID=14 type=3 (StreamType_Audio), source=[1234567891,811586809], features=1, compression=1 

2019/05/29 18:39:34 .849  4396  7844 G1   VoIP: Sender: Session 123456789: VoIP streams: Partners changed subscriptions and so the receiving usage of the VoIPV3 channel changed to 1 

2019/05/29 18:39: 34.850  4396  2312 G1   VoIP: Sender: Session-format channel (123456789, V3): Init VoIP channel  2019/05/29 18:39:34.850  4396  2312 G1   VoIP: Sender: Session-format channel (9483 44754, V3): VoIPV3BCommandSender: We sent init command on stream 7 

2019/05/29 18:39:34.850  4396  5620 G1   VoIP: Sender: Session-format channel (123456789, V3): Receiving usage b y partners changed to 1 

2019/05/29 18:39:34.891  4396  7832 G1!! DataTransceiver: DataTransceiver => DataTransceiverFileBox::HandleEvent: routerInstance is null 

2019/05/29 18:39: 34.891  4396  7832 G1   CServerSessionRecorder::AutoStart: AutoStart recording function called and not activated (auto recording of incoming RemoteControl not activated) 

2019/05/29 18:39:34.893  4396  7832 G1   CServerThreadInfo unknown commandtype=95 

2019/05/29 18:39:34.900 12160 14136 D1   InfoCommandHandlerDesktop::ReceivedInfo: connected to 1234567891,  client version is 15.2.2756 , OS=19 

2019/05/29 18:39:34.900  4396  7836 G1   ServerThreadInfo connected to 1234567891, client version is 15.2.2756 , OS=19 

2019/05/29 18:39:34.90 0 12160 14136 D1   DisplayQuality m=0, bpp=32, q=80, echo=-1, conRating=2, cpu=16848, capacity=96883, RTT=3167485, reliability=1, disable animation=1 remove wallpaper=1 

2019/05/29 18:39:34.900  3884  4860 S0   ReadStreamParameters(): streamID=15 type=1 (StreamType_Misc, private), source=[12345678910,123456789], features=1, compression=2 

2019/05/29 18:39:34. 901  3884  4852 S0   ReadStreamParameters(): streamID=16 type=2 (StreamType_Screen), source=[12345678910,123456789], features=127, compression=3 

2019/05/29 18:39:34.901  3884  4852  S0   ReadStreamParameters(): streamID=17 type=10 (StreamType_ScreenVideo), source=[12345678910,123456789], features=127, compression=1 

2019/05/29 18:39:34.901  3884  4852 S0   Rea dStreamParameters(): streamID=18 type=24 (StreamType_Clipboard, private), source=[12345678910,123456789], features=1, compression=2 

2019/05/29 18:39:34.901  4396  7844 G1   CServer ThreadInfo::Received_AccessControlSettings: RCAccessControl: RemoteControl=’Allowed’, FileTransfer=’Allowed’, ControlRemoteTV=’Allowed’, SwitchSides=’Allowed’, AllowDisableRemoteIn put=’Allowed’, AllowVPN=’Allowed’, AllowPartnerViewDesktop=’Allowed’, ShareMyFiles=’Allowed’, ShareFilesWithMe=’Allowed’, PrintOnMyPrinters=’Allowed’, PrintOnRemotePrinters=’Allowe d’, SessionRecording=’Allowed’ 

2019/05/29 18:39:34.901  3884  4852 S0   ReadStreamParameters(): streamID=19 type=9 (StreamType_DragDrop, private), source=[12345678910,123456789], f eatures=1, compression=2 

2019/05/29 18:39:34.901  4396  7844 G1   ServerThreadInfo connected to 1234567891, client version is 15.2.2756 , OS=19 

2019/05/29 18:39:34.901  4396  784 4 G1   CServerThreadInfo::Received_AccessControlSettings: RCAccessControl: RemoteControl=’Allowed’, FileTransfer=’Allowed’, ControlRemoteTV=’Allowed’, SwitchSides=’Allowed’, AllowD isableRemoteInput=’Allowed’, AllowVPN=’Allowed’, AllowPartnerViewDesktop=’Allowed’, ShareMyFiles=’Allowed’, ShareFilesWithMe=’Allowed’, PrintOnMyPrinters=’Allowed’, PrintOnRemotePr inters=’Allowed’, SessionRecording=’Allowed’ 

2019/05/29 18:39:34.902  4396  7832 G1   MachineHooks: Start DragInterceptor 

2019/05/29 18:39:34.903  8028  8032 H32  tv_w32.exe: Dra gInterceptor: Starting Up 

2019/05/29 18:39:34.903  8028  8032 H32  tv_w32.exe: DragInterceptor: started 

2019/05/29 18:39:34.903  8036  8040 H64  tv_x64.exe: DragInterceptor: Star ting Up 

2019/05/29 18:39:34.903  8036  8040 H64  tv_x64.exe: DragInterceptor: started 

2019/05/29 18:39:34.906  8036  8040 H64  tv_x64.exe: Starting Update Hook 

2019/05/29 18:39: 34.906  8028  8032 H32  tv_w32.exe: Starting Update Hook 

2019/05/29 18:39:34.909 12160  1672 D1   runLLHook(): ChangeThreadDesktop(): SetThreadDesktop to default successful 

2019/05/29 18:39:34.966 12160 12808 D1   GuiWindowCheckBase::CheckForValidGUIWindows() ok 

2019/05/29 18:39:35.007 12160  7556 D1   CGrabMethodDuplication::Initialize() m_State=1 

2019/05/29 18:39:35.009 12160  7556 D1   first fullscreen grab time in ms = 1 

2019/05/29 18:39:35.013 12160  7556 D1!  Desktop: Grabbed screen is black. 

2019/05/29 18:39:35.015 12160   2228 D1   Desktop grab succeeded. 

2019/05/29 18:39:35.035 12160  9416 D1   ConnectionAccessControl => RCAccessControl: RemoteControl=’Allowed’, FileTransfer=’Allowed’, ControlRem oteTV=’Allowed’, SwitchSides=’Allowed’, AllowDisableRemoteInput=’Allowed’, AllowVPN=’Allowed’, AllowPartnerViewDesktop=’Allowed’, ShareMyFiles=’Allowed’, ShareFilesWithMe=’Allowed’ , PrintOnMyPrinters=’Allowed’, PrintOnRemotePrinters=’Allowed’, SessionRecording=’Allowed’ 

2019/05/29 18:39:35.035 12160  9416 D1   InfoCommandHandlerDesktop::ReceivedInfo: connected to 1234567891, client version is 15.2.2756 , OS=19 

2019/05/29 18:39:35.035 12160  9416 D1   DisplayQuality m=0, bpp=8, q=60, echo=-1, conRating=0, cpu=16848, capacity=0, RTT=0 , reliability=2, disable animation=1 remove wallpaper=1 

2019/05/29 18:39:35.074 12160  9416 D1   ConnectionAccessControl => RCAccessControl: RemoteControl=’Allowed’, FileTransfer= ‘Allowed’, ControlRemoteTV=’Allowed’, SwitchSides=’Allowed’, AllowDisableRemoteInput=’Allowed’, AllowVPN=’Allowed’, AllowPartnerViewDesktop=’Allowed’, ShareMyFiles=’Allowed’, Share FilesWithMe=’Allowed’, PrintOnMyPrinters=’Allowed’, PrintOnRemotePrinters=’Allowed’, SessionRecording=’Allowed’  

2019/05/29 18:39:35.074 12160 9416 D1 StreamControlDesktop::Stre amRegistered: Registered Clipboard Stream (00000012) 

2019/05/29 18:39:35.074 12160 9416 D1 StreamControlDesktop::StreamRegistered: Registered Drag&Drop Stream (00000013) 

2019/05/29 18:39:35.074 12160 9416 D1 tvdesktop::MachineControlDesktop::Received_AutoLockOnSessionEnd – received lockWSAfterSessionEnd = false, cp = 05F36320, this = 03427FAC 

2019/05/29 18:39:35.074 12160  9416 D1 WorkstationLocker::SetAutoLockOnSessionEnd() TVSessionID: 123456789 lock: 0 can lock: 1 

2019/05/29 18:39:35.074 12160 9416 D1 tvdesktop::MachineControlDesktop::Received_AutoLockOnSessionEnd – received lockWSAfterSessionEnd = false, cp = 05F36320, this = 03427FAC 

2019/05/29 18:39:35.074 12160  9416 D1   WorkstationLocke r::SetAutoLockOnSessionEnd() TVSessionID: 123456789 lock: 0 can lock: 1 

2019/05/29 18:39:35.076 12160  7556 D1   Desktop: Grabbed screen is ok. 

2019/05/29 18:39:35.078 12160 1241 6 D1   Desktopencoding: Tiles, buffer depth=32bpp, transmitted color depth=4bpc, features=127 

2019/05/29 18:39:35.085 12160 12416 D1   Tile caching activated 

2019/05/29 18:39:35. 089 12160 12416 D1   CScreenStreamSender::SendDisplayParams() 1920x1080x8 on 16 to 3  2019/05/29 18:39:35.090  3884  4852 S0   StreamCompressor[32]: change compression to 3 for str eam 16 

2019/05/29 18:39:35.090  4396  6560 G1   Display buffers allocated: width = 1920, height = 1080, bpp = 8 

2019/05/29 18:39:35.090  4396  6560 G1   Display buffers allocated : width = 1920, height = 1080, bpp = 32 

2019/05/29 18:39:35.094  4396  7844 G1   RA: RemoteAudioSender get started 

2019/05/29 18:39:35.094  4396  7844 G1   RA: Control stream wil l get created 

2019/05/29 18:39:35.095  3884  4844 S0   ReadStreamParameters(): streamID=20 type=12 (StreamType_RemoteAudioControl), source=[12345678910,123456789], features=1, comp ression=2 

2019/05/29 18:39:35.095  4396  7832 G1   RA: Controlstream succesfull registered with id 20 

2019/05/29 18:39:35.111 12160 14136 D1   Max cache size: 97.07 MB for stream  16 

2019/05/29 18:39:35.132  4396  7844 G1   RA: quality suggestion by capacity measurement: (350) 

2019/05/29 18:39:35.132  4396  7844 G1   RA: Audio quality set to 32000 

2019/05/29 18:39:35.132  4396  7844 G1   RA: Control stream will get created 

2019/05/29 18:39:35.132  3884  4860 S0!  StreamManagerOutgoing::RemoveStream: Could not find stream 20 

2019/05/29 18:39:35.132  3884  4852 S0   ReadStreamParameters(): streamID=21 type=12 (StreamType_RemoteAudioControl), source=[12345678910,123456789], features=1, compression=2 

2019/05/29 18:39:35.132  4396  7844 G1   RA: Controlstream succesfull registered with id 21 

2019/05/29 18:39:35.176 12160  2228 D1   Received cache version 2 from [1234567891,811586809]  

2019/05/29 18:39:35.236 12160 12808 D1   Caching activated, partners version is 2, own version is 2 

2019/05/29 18:39:35.373 12160 11928 D1   Max cache size: 93.87 MB for stream 16  

2019/05/29 18:39:36.539  3884  4852 S0   UdpOutputTracker(): max 0 effectiveSent 206424 RTT 1656588 

2019/05/29 18:39:36.920  7212  7216 H64  explorer.exe: ResumeAllThreads: resu med 74 threads, max count 74  2019/05/29 18:39:36.920  7212  7216 H64  explorer.exe: DragInterceptor: interception successful (new interface)  2019/05/29 18:39:47.036 12160  9416 D 1   DisplayQuality m=0, bpp=8, q=60, echo=31, conRating=0, cpu=16848, capacity=0, RTT=32934, reliability=2, disable animation=1 remove wallpaper=1 

2019/05/29 18:39:51.655  4396  7 832 G1   RA: quality suggestion by capacity measurement: (40564) 

2019/05/29 18:39:51.655  4396  7832 G1   RA: Audio quality set to 120000 

2019/05/29 18:39:51.655  4396  1656 G1    RA: Stopping capturing thread 

2019/05/29 18:39:51.655  4396  1656 G1   RA: LoopbackCapture with 1247 discon events within 16469 ms 

2019/05/29 18:39:51.655  4396  7640 G1   RA: R emoteAudioSender stopped 

2019/05/29 18:39:51.655  4396  7832 G1   RA: LoopBackCapture stopped 

2019/05/29 18:39:51.658  4396  7832 G1   RA: RemoteAudioSender stopping… 

2019/05/29 18:39:51.658  4396  7832 G1   RA: Control stream will get created 

2019/05/29 18:39:51.658  3884  4848 S0   ReadStreamParameters(): streamID=22 type=12 (StreamType_RemoteAudioControl), source=[12345678910,123456789], features=1, compression=2 

2019/05/29 18:39:51.658  3884  4856 S0!  StreamManagerOutgoing::RemoveStream: Could not find stream 21  2019/05/29 18:39:51.658  4396  7832 G1   RA: Controlstream succesfull registered with id 22 

2019/05/29 18:40:00.906  3884  4864 S0!  UdpConnection[349]: UDP statistics: prp=112 scf=14 nb=91   

About Athena Forensics

For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0330 123 4448 or via email on enquiries@athenaforensics.co.uk, further details are available on our contact us page.

Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.

Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.

Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.

Athena Forensics do not disclose personal information to other companies or suppliers.

https://athenaforensics.co.uk

https://athenaforensics.co.uk/service/mobile-phone-forensic-experts/

https://athenaforensics.co.uk/service/computer-forensic-experts/

We offer a free initial consultation that can greatly assist in the early stages of an investigation. To discuss your specific requirements please call us on 0330 123 4448, email: enquiries@athenaforensics.co.uk or click on the link below.

Contact Us