Home » Updates » Perform TeamViewer Forensics – How To?

Perform TeamViewer Forensics – How To?

Published By Ashwani Tiwari
Aswin Vijayan
Approved By Aswin Vijayan
Published On April 14th, 2022
Reading Time 4 Minutes Reading
Category Updates

While trailing upon the different applications installed on the defendant’s machine. The forensic investigators may come across various communicators or social networking apps. One among them is Teamviewer. That is used for providing remote access to a desktop in situation when it is not possible for the user to access the machine physically. A detailed research into the functionalities of Teamviewer. Which provides appropriate clues to the investigators for seizing culpable evidence to produce in the court of law. Therefore, if user wants to know about the storage location of Teamviewer artifacts then this content will definitely guide you through the process.

Why Do We Require Teamviewer Forensics?

As we know, remote viewing or accessing computers is helpful but there is always a chance of culprits getting access to physical devices (machines) inappropriately. The miscreants can access the system of other individuals in an unauthorized or illegal manner. This will lead to the stealing of crucial information related to the business activities of an organization. Therefore, it requires a proper understanding of the Teamviewer software to extract logical evidence from the data that is left behind in the system. Following this data, forensic examiners can make out whether the defendant has actually accessed the system or not. Let us know about the software in detail.

In-Depth Research of Data – TeamViewer Log Forensics

As the functionality of Teamviewer mainly focuses on a remote desktop program. It also contributes to some of the potential hazards. This happens when a user gains full control access over the remote system and if the suspect has unlawfully gained access to the victim’s machine then they can delete crucial files as well as steal important information. In such cases, log files of Teamviewer can be extremely helpful. Teamviewer saves all the connection-related data on the log file which can be located on the Teamviewer folder installed on the system. The path location for the log file is given below.

teamviewer forensics


This log file constantly grows in size as the data keeps on adding. Every line indicated in the log file of Teamviewer (excluding line breaks and headers) starts with a timestamp indicating the date and time. The format for the date is as follows

teamviewer log forensics

In addition, the format for the time is HH:MM: SS.SSS. The timestamp that the Teamviewer log file uses to store information is present in the 24-hour system.

teamviewer forensic artifacts


What Can You Infer From The ‘Start Session’?

The Start Session indicates the beginning of a new session with the Teamviewer application. Here, forensics investigators can track the details of the machine that the system is connecting. Further, useful information that can prove the suspect guilty of a crime can be extracted from the log file. This includes the exact date and time at which the session begins. And the Operating System that was used to interface with the TeamViewer. Potential evidence artefacts such as IP address and the location of Teamviewer can be very helpful in getting culpable evidence.

Once the IP address is tracked, you can also track the IP address of the system that it is connecting with and make out the nature of criminal activities.

Getting Clues from Task Manager – Team Viewer Forensics

Apart from the log files, investigators can seize evidence from the Task Manager. The movement of the mouse and the clicks can be captured from the Task Manager of the victim’s system. As the Task Manager shows the details of any process or application running on the machine, if a victim’s machine is accessed by any outside person then one can get the evidence from the Task Manager.

Recording Session Can Be a Helpful Feature

The in-built session recorder on the Teamviewer application can be a useful source of evidence artefacts during Teamviewer log forensics. If the victim’s system allows recording or capturing the session caused by the culprit then there is every chance that we can trace the activities of the miscreant and prove them guilty of the acquisition of intellectual theft.


The above content presents an idea regarding the forensics artefacts examination of Teamviewer. This can be beneficial in case the accused has accessed the victim’s system for stealing important company-related information. Forensic examiners can follow this content to get precise information on how to approach their investigation when it comes to the examination of Teamviewer.