Analysis of Teamviewer log file - what are key events to look for?

db720
db720 Posts: 2 ✭✭
edited July 2021 in General questions

Hi,

A friend of mine reached out to me recetly - was the target of a scam, where teamviewer was installed and credetials provided. they turned off TV pretty soon after remote control was gained, with a minute or 2 window, and I have walked them through sending the log file to me.

I am looking through the log and have identified the time period that had access. I'd like to figure out the extent of what happened - specifically to identify if a backdoor was uploaded, and/or any files were transfered off the target host.

I can see the session being initialized with events like this:

[logs removed per Community Guidelines]

There's a few other events that happen - "AutoStart recording function called" looks like it tries to set up VoIP: AudioControl to access the mic next.

After that, i see:

[logs removed per Community Guidelines]

and then within 5 seconds of that, the PC was turned off.


Is there a reference article somewhere that defines key events in the log file and what they mean? And from anyone with experience in this, any events i should look for?


Lastly, as a free / non-commercial user, should this be reported to the TV team? not sure if they look at remote IPs or sources / accounts of scammers in any security db....


thanks in advance all.

Comments