Scribd
Upload
73 views4 pages

Digital Forensic Artifact of Anydesk Application

Uploaded by

Kzay Jones
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
73 views4 pages

Digital Forensic Artifact of Anydesk Application

Uploaded by

Kzay Jones
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

SOP on Collecting Artifacts from Anydesk

Digital Forensic Artifact of Anydesk Application

In this case we try to connect from laptop A to Laptop B using anydesk, and see what can we
get from the evidence.
Log of Anydesk
There is 4 log on Anydesk :
1. Connection log
2. Ad trace log
3. Ad_svc trace log (only at installed version)
4. Chat log
As explained before anydesk comes up with 2 version, it is installed version and portable
version, this 2 version have different path on storing configuration and log.
Path log installed version :
C:\ProgramData\Anydesk

Path log portable version :


C:\Users\[user profile]\AppData\Roaming\AnyDesk
SOP on Collecting Artifacts from Anydesk

- Connection_trace Log
The first one we need to check is connection_trace.txt file. in this file we can see history of
incoming connection to our AnyDesk, but the information is limited to Date/Time, status, alias
and ID of AnyDesk.

- ad.trace Log
In ad.trace log we can check history of connection event, error event and system notification
that happened in our AnyDesk. this log can be opened by Notepad or any text editor application.

We can search connection event at ad.trace log for incoming and outgoing connection as
information below, but the information is limited to AnyDesk ID and user (desktop).

- ad_svc.trace Log
SOP on Collecting Artifacts from Anydesk

ad_svc.trace is like ad.trace, it contain connection event, error event, and also system
notification. but for the connection event it store more informative log such as, IP addresses of
incoming or outgoing connection, AnyDesk ID, Relay server that we connect to, and etc. But
remember, this log is active if we install the AnyDesk, if its portable version, it just come with
ad.trace only.
We can search connection event at ad.trace log for incoming and outgoing connection as
information below.

Chat Log
Chat log of AnyDesk is stored at AnyDesk Portable Path in folder chat.
SOP on Collecting Artifacts from Anydesk

The file log will be named as ID that connected to the desktop and have txt format. in this log
we can see all conversation history from the active session before.

- Other Evidence
Sometimes log from anydesk is altered by threat actor, if this happened we can restore it with
restoration tools such us EaseUs, R-recovery and etc. But when we cannot restore it the only
way we can do is looking after another evidence.
We can see IP addresses of incoming connection to the anydesk from Network Packet Capture.
Why should packet capture? we can see at the traffic log from Firewall or IPS maybe, but the
information that we get about the IP source of incoming connection is only IP of AnyDesk
Relay Server. The original IP of incoming connection is not captured by firewall.
With packet capture we could see the original ip of incoming connection from the AnyDesk.
By default AnyDesk is used port 80, 442 or 6568, but when it accept connection request it will
listening to port 7070. So we can filter it at packet capture application such as wireshark or
moloch all connection that using port 7070.

The other additional evidence that we can check is at OS Level evidence. We can check
program execution artifact to see how much AnyDesk being execute and when it being execute
by user. the execution artifact can be get from analysis Userassist and Prefetch. and you can
check installed program artifact from OS. If you didn’t familiar with these, you can check this
video to learn about Windows forensics.

You might also like