Remote Desktop Software as a Forensic Resource

Abstract

Remote Desktop Software (RDS) enables the controlling of a computer system without the need for physical access. Operations are sent to the remote machine and executed as if performed by a local user. With an unprecedented shift to remote working due to the COVID-19 Pandemic, more people are working on home devices without enterprise IT support and therefore reliant upon this software to collaborate and keep their systems available and secure. RDS complicates a Forensic Investigation as any person with remote access privileges or knowledge of bypassing them could be responsible for an action. Despite its importance and prevalence, forensic research into RDS is minimal. As a market-leading solution for Windows, TeamViewer is an impactful starting point to demonstrate that such software is forensically-valuable to explore. This paper shows that with suitable evidence, an Investigator can identify which machines have performed remote control or been controlled, transferred files and have been remotely rebooted, among other events. We also highlight a potential privacy concern due to inadequate uninstallation processes. To illustrate the value of our findings we publish a Python module for Autopsy that automatically locates, processes and visualises key TeamViewer artefacts for an Investigator.