Perform Teamviewer Forensics – How To?

Olivia Dehaviland | July 22nd, 2015 | Updates

While trailing upon the different applications installed on the defendant’s machine, forensic investigators may come across various communicators or social networking apps. One among them is Teamviewer that is used for providing remote access to a desktop in situation when it is not possible for the user to access the machine physically. A detailed research into the functionalities of Teamviewer can provide appropriate clues to the investigators for seizing culpable evidence to produce in the court of law. Therefore, if you are interested to know about the storage location of Teamviewer artifacts then this content will definitely guide you through the process.

Why Do We Require Teamviewer Forensics?

As we know that, remote viewing or accessing of computers is helpful but there is always a chance of culprits getting access of physical devices (machines) inappropriately. The miscreants can access the system of other individuals in an unauthorized or illegal manner. This will lead to stealing of crucial information related to the business activities of an organization. Therefore, a proper understanding of the Teamviewer software is required to extract logical evidence from the data that is left behind in the system. Following this data, forensic examiners can make out whether the defendant has actually accessed the system or not. Let us know about the software in details.

In-Depth Research of Data – Teamviewer Log Forensics

As the functionality of Teamviewer mainly focuses around a remote desktop program, it also contributes to some of the potential hazards. This happens when a user gains a full control access over the remote system and if the suspect has unlawfully gained access to the victim’s machine then they can delete crucial files as well as steal important information. In such cases, log files of Teamviewer can be extremely helpful. Teamviewer saves all the connection related data on the log file which can be located on the Teamviewer folder installed on the system. The path location for the log file is given below.

teamviewer forensics


This log file constantly grows in size as the data keeps on adding. Every line indicated in the log file of Teamviewer (excluding line breaks and headers) start with a timestamp indicating the data and time. The format for the date is as follows

teamviewer log forensics

In addition, the format for the time is HH:MM: SS.SSS. The timestamp that Teamviewer log file uses to store information is present in 24-hour system.

teamviewer forensic artifacts


What Can You Infer From The ‘Start Session’?

The Start Session indicates the beginning of a new session with the Teamviewer application. Here, forensics investigators can track the details about the machine that the system is connecting. Further, useful information that can prove the suspect guilty of crime can be extracted from the log file. This includes the exact date and time at which the session begins, the Operating System that was used to interface with the TeamViewer. Potential evidence artifacts such as IP address and the location of Teamviewer can be very helpful in getting culpable evidence.

Once the IP address is tracked, you can also track the IP address of the system that it is connecting with and make out the nature of criminal activities.

Getting Clues from Task Manager – Team Viewer Forensics

Apart from the log files, investigators can seize evidence from the Task Manager. The movement of mouse and the clicks can be captured from the Task Manager of the victim’s system. As the Task Manager shows the details of any process or application running on the machine, so if a victim’s machine is accessed by any outside person then one can get the evidence from the Task Manager.

Recording Session Can Be a Helpful Feature

The in-built session recorder on Teamviewer application can be a useful source of evidence artifacts during Teamviewer log forensics. If the victim’s system allows recording or capturing the session caused by the culprit then there is every chance that we can trace the activities of the miscreant and prove them guilty in the acquisition of intellectual theft.


The above content presents an idea regarding the forensics artifacts examination of Teamviewer. This can be beneficial in case the accused has accessed the victim’s system for stealing important company related information. Forensic examiners can follow this content to get a precise information on how to approach their investigation when it comes to examination of Teamviewer.