Remote Access Applications: Signs of Trespassing
Why this is important:
Software that allows remote access to computers keeps logs to identify which computers were accessing the computer, when, and sometimes what they were doing. This can be critical in identifying those with malicious intent.
What it is:
Remote access applications allow an individual to connect to a computer without being physically located at that computer. This is useful both for the individual looking to connect to their home network on the go and corporations looking to allow workers to access systems from afar. Common examples of remote access applications include Teamviewer, Splashtop, GoToMyPC, and LogMeIn. In 2015 Teamviewer had over 200 million users and 1 billion devices setup for remote collection. Remote access applications are still becoming increasingly popular as more people work remotely.
Types of setups:
These applications allow the user to setup remote access with a variety of different authentication methods. As a few examples, the user can choose to use a static password, a dynamic password, or even just the remote access application user account.
Static Password: A remote computer is accessible through a password that does not change. This allows an individual to access a computer without any input from a person at the remote computer. Typically, this is the style of connection utilized by individuals.
Dynamic Password: A remote computer is accessible through a password that changes on every connection. This option requires that the remote computer have a user present. For example, when an IT professional connects to a client’s computer via a generated code.
User Account: A remote computer is accessible through logging into the remote access application. Like a static password, this option is hands free and even allows the user to setup extra security measures such as 2FA if the application allows it.
This information can be useful in your case a myriad of ways. For example, just because someone was not physically located at a computer or device does not mean that they did not access it. If the affected system had remote access capabilities, the user could potentially have been anywhere. As such, unsecured remote access connections can lead to unauthorized access to a device and consequently, stolen information. This is further exaggerated as a knowledgeable individual can setup a system with remote access that requires no prompt on the target end, commonly known as a backdoor.
To this end there is a lot of information a digital forensic examiner can gather from these applications to shed light on what exactly happened on that system. An experienced examiner can retrieve information such as: date, time, IP address, username, connection type, and file transfer details. The examiner can then use this information to help determine which remote computer connected to the computer, when they connected to the computer, and whether they transferred files to or from the target computer.