Beyond Connection Logs: Understanding File Transfer Artifacts in AnyDesk Forensics
Anydesk Version: 8.1.0.0
Scenario: Analyzing Artifacts in the Standalone Version of AnyDesk (not installed version)
Logfile Location: C:\Users\<USER>\AppData\Roaming\AnyDesk
Artifacts of Interest:
connection_trace.txtad.traceuser.conf- Special Focus:
file_transfer_trace.txt
file_transfer_trace.txt is located on following path:
C:\Users\<USER>\AppData\Roaming\AnyDesk
In the realm of AnyDesk forensics, most investigators tend to focus on the connection_trace and ad.trace files.
However, I recently discovered an additional file that holds valuable forensic insights: the file_transfer_trace.txt.
Here, I’ll walk through my analysis of this file and its implications in forensic investigations.
Scenario Details
Source Machine: Anydesk ID: 1495608085 (labeled as “IR4N6”)
Destination Machine: Anydesk ID: 1469150683 (labeled as “superadmin”)
Timeline of Events (in IST):
- 08-Nov-2024 12:27: Connection request initiated from Source 1495608085 to Destination 1469150683.
- 08-Nov-2024 12:30:
abc.txtfile copied from Destination (superadmin) to Source (IR4N6). - 08-Nov-2024 12:31:
xyz.txtfile copied from Source (IR4N6) to Destination (superadmin). - 08-Nov-2024 12:33:
data.txtfile downloaded from Destination (superadmin) to Source (IR4N6). - 08-Nov-2024 12:35: Password-protected login attempt from Source 1495608085 to Destination 1469150683.
The next step is to review the source machine’s artifacts, starting with the file_transfer_trace.txt file.
Understanding the file_transfer_trace.txt Structure
Based on the data in file_transfer_trace.txt, here is a breakdown of each column:
- Transfer Mode — Specifies whether the file was transferred via “Clipboard” or “File Manager.”
- Date and Time (UTC+0) — Timestamp in UTC format.
- Status — Either
startorfinish, indicating the initiation and completion of the transfer. - Direction — Indicates if the file was
downloadedfrom oruploadedto the destination. - File Details — Displays the filename and its size.
Event Analysis
Event 1: abc.txt Transfer
- Forensic Observation: The
file_transfer_trace.txtlog shows:
Clipboard 2024-11-08, 07:00 start download 'abc.txt' (~0 B out of 3 B)
Clipboard 2024-11-08, 07:00 finish download 'abc.txt' (~3 B out of 3 B)— Timestamp: 2024-11-08, 07:00 — Mode: Clipboard
— Direction: Download
— Filename: 'abc.txt'
This confirms that the
abc.txtfile was downloaded from the destination machine using the clipboard.
Event 2: xyz.txt Transfer
- Forensic Observation: The log captures:
Clipboard 2024-11-08, 07:01 start upload 'xyz.txt' (~0 B out of 3 B)
Clipboard 2024-11-08, 07:01 finish upload 'xyz.txt' (~3 B out of 3 B)— Timestamp: 2024-11-08, 07:01 — Mode: Clipboard
— Direction: Upload
— Filename: 'xyz.txt'
This indicates that
xyz.txtwas uploaded from the source machine to the destination using the clipboard.
Event 3: data.txt Transfer
- Forensic Observation: The log entry shows:
File Manager 2024-11-08, 07:03 start download 'data.txt' (~0 B out of 16 B)
File Manager 2024-11-08, 07:03 finish download 'data.txt' (~16 B out of 16 B)— Timestamp: 2024-11-08, 07:03 — Mode: File Manager
— Direction: Download
— Filename: 'data.txt'
This entry shows that
data.txtwas downloaded from the destination using the File Manager.
Timeline of Events
With the addition of various sources, I have created a detailed timeline that provides deeper insights into the file transfer activities and connections made during the AnyDesk forensic analysis. This timeline highlights key events, including connection requests, file transfers, and preparation actions across both source and destination machines.
Conclusion
The file_transfer_trace.txt provides crucial details about file transfers, which are valuable in AnyDesk forensic investigations. This artifact enables investigators to verify whether a file was uploaded or downloaded, its mode of transfer (Clipboard or File Manager), and the file size. The timestamps also provide a precise timeline, which can be cross-referenced with other logs for a comprehensive forensic analysis.
References:
