The TeamViewer Remote Control app for Android keeps pertinent data in the following files and locations:
- Client configuration log filename and location:
- /userdata/data/com.teamviewer.teamviewer.market.mobile/files/client.conf
- Contains username and email account for the logged in TeamViewer user.
- Global configuration log filename and location:
/userdata/data/com.teamviewer.teamviewer.market.mobile/files/global.conf Contains certificate information and client version number. - Connection information log filename and location:
/data/com.teamviewer.teamviewer.market.mobile/files/connection.txt - Contains the remote id number of the device being connected to, the start and end of connection timestamps, the purpose of the connection, the Android's device name and a GUID like number.
- Activity log filename and location:
- /userdata/media/0/Android/data/com.teamviewer.teamviewer.market.mobile/files/TVLog.html
- Text search the term 'participant' within the file to get the partner's device name.
- Text search the term 'creating file' to obtain the names of transferred files.
- Text search the term 'a=' to obtain the connection IP address.
- File transfer default save location:
- /userdata/media/0/Download/transferedfilename.extension
- /storage/emulated/0/Download/transferedfilename.extension
Recently I was catching up on some great digital forensics tutorial episodes at 13cubed, whic are made by @davidrichardg. In one of the videos he was talking about RDP cache data left on Windows systems. (I highly recommend his content and hope you can also become a Patreon supporter here.) His video left me wondering what type of artifacts could be found by the use of RDP and remote control apps in Android systems. Hence the idea of starting a small series on remote control artifacts in Android. I plan to look at both client and hosts apps. To start I decided to look at the TeamViewer remote control app.
 |
| App in the Google Play Store. |
TeamViewer (TV) is a really well know remote control platform that has been around for quite a while. The current Android remote control version in the Google Play Store has over 10 million downloads and they state that over 1 billion devices have had their software installed in order to enable remote connections to them.
For this analysis I used the tools and equipment described here.
First step was to install the app on the target device. A Windows Surface laptop served as the device to be connected to. After logging in to TV in both devices I was able to successfully remote control the laptop from the Android device. I was also able to transfer a text file from the laptop to the Android device.
 |
| Remote control successful. |
After obtaining a physical image of the target device with Magnet Forensics Acquire I reviewed the pertinent TV app folders with Autopsy digital forensics software. The app folder structure is shown in the following image:
 |
| /userdata/data/com.teamviewer.teamviewer.market.mobile/ |
After reviewing the contents of the folders it seemed that most of the pertinent artifacts the app generates are located in plain log and configuration text files. Most of these files were located in the properly named 'files' folder.
 |
| Files folder contents. |
The following is a quick description of the most salient files in the folder.
- Connection.txt
This text file contains the remote id number of the device being connected to, the start and end of connection timestamps, the purpose of the connection, the Android's device name and a GUID like number.
 |
| Love timestamps. |
- Global.conf
This configuration file contains certificate information and client version number.
 |
| Global stuff. |
- Client.conf
Contains username and email account for the logged in teamviewer user.
 |
| Client stuff. |
After transferring a text file from the laptop to the Android device I could not find any artifact within the TV app folder that would clue me in that a transfer had been completed. Within Autopsy I did a text search of the filename of the transferred file. The two most relevant files can be seen in the image below:
 |
| TVlog.html & Transferred file |
The TVlog.html file is really interesting because one can access the contents of it via the app itself under the log section in the app menu. The second file is the transferred file itself. Both files reside in external/emulated storage but in different folders. The TVlog.html has a lot of information. Of the multiple pieces of information the log keeps I decided to focus on the following three:
- Participants
By text searching the file using the word 'participant' one can find the device names involved in the communication. For example:
AddParticipant: [xxxxxxx,x] type=6 name=samsung_SM-G530T_R58H41XF9AH
AddParticipant: [xxxxxxxxx,xxxxxxxx] type=3 name=BRIGNO-SURF
The Xs represent the client ids involved in the communication.
- Creating file
By text searching the file using the phrase 'creating file' one can find the filename and location of transferred files. For example:
creating File: /storage/emulated/0/Download/Tutorail FTK imager.txt - A=
By text searching the phrase 'a=' one can find the connection IP address and port. For example:
a=xxx.xxx.xx.x:9617: (*)
Each line in the TVlog.html file has a corresponding timestamp which I did not show in the previous examples due to formatting issues. Depending on the device in question, the TVlog.html file could reside in an the external SD card.
For upcoming posts I will review the Android TeamViewer host app followed by the Microsoft RDP client for Android.
For any questions or comments I can be reached via twitter here: @alexisbrignoni
