Possible Unauthorized Use - Help with Logs
I have a client who started their computer and the mouse started moving around, files were being deleted, etc. It looked purposeful, not eratic. This client soon after unplugged the Ethernet cable and brought the machine to me.
I found it was running TV 10. I opened up the logs folder and expected to see mutiple logs files including the connections logs. Instaed there are only two log files; TeamViewer10_Logfile and TeamViewer10_Logfile_OLD. There was a log of activity during the time the user thought someone was in their computer. However, I'm not clear how to read these log files. Could someone tell me what to look for to know if a remote connection was made through TV?
I see tons of log entries like this
2017/10/11 10:06:22.048 2036 3152 S0!! HttpQueryInfo(20) size failed with error 12019, Errorcode=12019
2017/10/11 10:06:22.048 2036 3152 S0!! HttpQueryInfoNum(19) failed with error 12019, Errorcode=12019
But during the time in question I see things that worry me. Once I know what I'm looking at, I can post the relevant parts of the log if needed. I tried to call TV support, but they don't seem to have phone support without an active license.
To summarize my two main questions are
- Should I have connections logs as well as the TeamViewer10 logs?
- What do I look for in the logs to verify a remote connection was made, where from, for how long, and any other relevant info?