LetsDefend — TeamViewer Forensics Challenge Walkthrough

Endpoint Forensic Investigation using the TeamViewer Logs and MFTECmd

Drew Arpino
11 min readJul 21, 2024
Image Credit: https://app.letsdefend.io/challenge/teamviewer-forensics

Introduction:

Have you ever read a story in the news about a cyber-attack where the bad guys used remote monitoring and management (RMM) software like TeamViewer and wondered how you would investigate unauthorized access if that happened to you? If this topic sounds interesting to you, you’ve stumbled on the right blog!

Welcome to my weekly walkthrough! This blog is a walkthrough of the Team Viewer Forensics challenge from LetsDefend! Team Viewer Forensics is a medium-difficulty DFIR challenge that has us defenders investigating a victim’s TeamViewer log files and then leveraging Eric Zimmerman’s MFTECmd utility to examine the actions taken by the attacker after they gained initial access to the system. By analyzing the artifacts of the file system, we’re going to determine when and how the attacker accessed the system and what they took — fun stuff!

Now let’s put on our detective hats and have some fun with TeamViewer forensics. Thanks for reading along!

Challenge Link: https://app.letsdefend.io/challenge/teamviewer-forensics

Challenge Scenario:

During a workday, an employee noticed strange unauthorized activity on his computer, with applications opening and the mouse moving. Quickly realizing that someone was remotely accessing his machine via TeamViewer, the employee acted quickly, changing his TeamViewer password and alerting the security team. However, the employee must still clarify how the breach occurred and how far the threat actor has gone. Your challenge is to unravel this mystery and discover how the intruder gained access and what they did.

Question 1 & 2:

What is the intruder’s username?

&

What is the “user ID” associated with the intruder’s username?

Okay, before we jump into the analysis, let’s ensure that our environment is ready and extract the challenge file from the 7z archive. We’ll see that this is the file structure of the primary (C:) drive from the victim’s device.

Since we know that the victim saw some suspicious activity from the remote monitoring and management application, TeamViewer, let’s start off by looking at the log files generated by this app.

We’ll start by doing some research on the vendor’s support site to determine the locations of the logs:

According to TeamViewer log files are available in the C:\Program Files\TeamViewer directory. Let’s navigate to the following path in the challenge file: C\Program Files\TeamViewer

The first log we want to review is the basic “Connections_incoming.txt.” Let’s just open this file up in Notepad for analysis.

Awesome! While this is a basic incoming connections log, it contains some valuable information for our investigation — I’ll highlight the relevant columns we’ll need.

  1. The first column is the TeamViewer user ID of the incoming agent connection.
  2. The second column is the username of the incoming connection.
  3. Columns 3–4 are the start & end times of the connected session.

So, with this information, we can answer Question 1 & 2!

Pro Tip: It’s best to copy and paste the username using the LetsDefend Virtual Machine VNC clipboard. If you’re anything like me, you’ll mix up one and L in the username.

Question 1 — Answered
Question 2 — Answered

Question 3: The attacker has joined more than one time. When did the intruder first access the victim’s machine?

The Connections_incoming.txt log file shows us two different connections. Question 3 seems pretty straightforward to confirm, except for one little detail…

Look at the required answer format for this question:

(yyyy-MM-dd HH:mm:ss.SSS)

This log file doesn’t provide enough information to answer this question, does it? All hope is not lost, though. According to TeamViewer, there is a second logfile called “TeamViewerXX_Logfile.log”

Going through the victim’s TeamViewer directory, we’ll stumble on this second log file, “TeamViewer15_Logfile.log” — this log is much more detailed and contains the technical information we’re looking for.

Let’s open it and do a simple search for the attacker’s user ID that we discovered in Question 2 — this will help us locate the accurate first incoming session timestamp down to the millisecond:

There we go! We found an even more accurate connection time than was available in the Connections_incoming log.

But keep in mind that the challenge wants the timestamp for the incoming session line, not the session encryption negotiation where we see the ID number…

Question 4: What is the “session ID” of the intruder’s second access to the computer?

Now, let’s investigate some information about a second time the victim’s device was accessed. Remember, from the Connections_incoming log we have a rough idea of when the second access attempt was — 04:35:03.

This gives us an idea of where in the logs that we need to search, so let’s keep looking through TeamViewer15_Logfile.log to see what we can find.

Scroll down to in the logs until we find the timestamps for 04:35:03. Once there, look for the connection incoming reference and the sessionID assigned to the new, second session!

Question 5: What was the duration of the second session in seconds.milliseconds?

Now that we have located the sessionID for the second connection in the previous question, we have also found the exact timestamp when the session was established. This gets us halfway to the answer! We’ll just need to find the end of the session to determine how long the attacker was active on the victim’s system.

Again, we have an idea of when the session ended based on what we saw in the Connections_incoming log, but we need to find the session termination event in the TeamViewer15_Logfile.log to get the exact session duration down to the milliseconds.

Going through the logs, we’ll stumble upon a SessionTerminate entry but instead of using the timestamp from this line, let’s go ahead and search for the second session ID, and locate the very last event with this session ID.

This should be the event we are looking for to determine the absolute end time.

The final event for session ID 536169703

Now that we have both the start and end time stamp, it’s time for some math! To recap, the first activity timestamp is 04:35:03.631 and the last activity timestamp is 04:45:11:202.

I’m not a numbers guy, so let’s shift the workload to a date/time calculator to get the results.

We’re so close! The last step is to convert this to the answer format for the question: seconds.milliseconds.

So, we just need to convert 10 minutes, 7 seconds to seconds which equals 607. Now put that together with the milliseconds from the calculator and, voila! We have our answer!

Question 6: What is the IP address of the server to which the intruder exfiltrated data?

Okay, now we’ve hit a little dead end — there is no evidence of file exfiltration in the TeamViewer logs. So, we’ll need to pivot and direct our search elsewhere.

Why don’t we start with a review of the PowerShell command history file to see if we can locate any commands the attacker may have run through PowerShell?

To locate the PowerShell command history log, we’ll need to navigate to the following path within the challenge file:

C\Users\mmox\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Very interesting! We’ve stumbled on some evidence of the attacker’s next moves — archive collected data (T1560) from the Confidential folder into a ZIP file (output.zip) and then two different methods of data exfiltration through web requests to the attacker’s server IP address (T1048)!

Now that we’ve uncovered some of the attacker’s infrastructure, let’s start to evaluate the impact of the attacker’s actions.

Question 7: How many files did the intruder exfiltrate?

From the previous question, we learned that the attacker created an archive of a folder labeled “Confidential” but there is no trace of this directory in the challenge file, is there?

So, what can we do to find it? Let’s use the question hint to give us some ideas.

Let’s do some research and learn more about the Journal on an NTFS volume. Below is an excerpt from Velociraptor (another DFIR tool) explaining the USN Journal:

By default Windows maintains a journal of filesystem activities in a file called $Extend$UsnJrnl in a special data stream called $J. This stream contains records of filesystem operations, primarily to allow backup applications visibility into the files that have been changed since the last time a backup was run.

Okay, so if we can access the USN Journal of the victim’s device, we might be able to parse and extract some information about the Confidential directory and the files within it.

To do this, we’ll use Eric Zimmerman’s MFTECmd which is part of the Tools folder already in the LetsDefend analysis machine. After we check out the help options, we’ll learn the below syntax to use this utility. Since we are pointing to the $J (journal) file, we’ll also provide the path to the $MFT so we can resolve the parent path as suggested by the help file.

MFTECmd.exe -f "C:\Users\LetsDefend\Desktop\ChallengeFile\C\$Extend\$J" -m "C:\Users\LetsDefend\Desktop\ChallengeFile\C\$MFT" --csv C:\Users\LetsDefend\Desktop\<name-of-output>.csv

After the utility parses the two files we pointed to and generates the output CSVs, let’s locate the $J_Output.csv. To simplify the analysis, let’s use another of Eric Zimmerman’s installed tools, Timeline Explorer, to open the file.

Since we know from Question 6 that we’re searching for a folder called Confidential, let’s use the search box and type the keyword “Confidential.”

Okay, we located the directory with a parent path of \Users\mmox\Documents. So, now we need to discover the files contained within the folder to determine what data was stolen. To accomplish this, take notice of the “Entry Number” column that has the number 35740 and copy that value.

Next, we want to remove the keyword filter to see all results, scroll over to the column called “Parent Entry Number,” and paste the entry number 35740 into the column. This will filter all entries with the same parent, in this case the “Confidential” folder.

We see several entries with intriguing file names but there are also several other entries too with a different path than these files. So, what we are going to do is add a filter by the parent path column of the “secret” files:

And finally, filter the Update Reasons column for FileCreate events. This will leave us with three files from the Confidential folder and filtered only by file creation events! Whew!

After using MFTECmd to parse the USN Journal ($J) file of the victim’s machine, we have determined that the Confidential folder contained three sensitive files that were archived and exfiltrated to the attacker’s infrastructure.

Question 8: When did the intruder delete the confidential data from the system?

Okay, last question for this investigation. After the attacker collected and exfiltrated the data, they deleted the original files from the victim’s system.

To discover when this event occurred, we’ll make a simple change the Timeline Explorer filter from Update Reasons > FileCreate to Update Reasons > File Delete|Close.

This will change our view from when the three confidential files were created to when they were deleted. Now that we have figured out when the files were deleted, we can wrap this investigation!

Conclusion:

Mission accomplished! We have finished our analysis of the TeamViewer connection logs, learned when the attacker connected to the victim’s workstation, and discovered what data was stolen. It’s time to close out this walkthrough of the Team Viewer Forensics challenge!

A big thank you to LetsDefend for this awesome challenge — this was a really exciting lab to work through. I chose this challenge because TeamViewer is such a popular remote monitoring and managing tool and it is really valuable for me to get some hands-on experience analyzing the TeamViewer logs to understand what information they contain. The even cooler part about this challenge was the unexpected pivot to using MFTECmd to analyze the USN Journal. Prior to this challenge, I didn’t know that this file existed and also hadn’t used the MFTECmd utility from Eric Zimmerman’s tools — this was a great introduction to both! While I’m sure this was a basic use case for using MFTECmd, I am really interested in learning more about what forensic artifacts can be uncovered within the journal.

If you found this walkthrough helpful in leveling up your skills or getting you through a tricky question, please give it a clap! Your feedback lets me know that I helped you out on your security journey. We’re in this together! Thanks for the support!

Until next week — stay curious.

Tools & References:

TeamViewer Log Locations: https://www.teamviewer.com/en-us/global/support/knowledge-base/teamviewer-classic/contact-support/find-your-log-files/

Eric Zimmerman’s Tools: https://ericzimmerman.github.io/#!index.md

Date Time Calculator: https://datetimecalculator.net/subtract-time-calculator

Microsoft Learn (PSReadline): https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7.4

Velociraptor Blog: The Windows USN Journal :: Velociraptor — Digging deeper!

Wikipedia (USN Journal): https://en.wikipedia.org/wiki/USN_Journal#:~:text=The%20USN%20Journal%20(Update%20Sequence,changes%20made%20to%20the%20volume.

--

--