Forensic Analysis of AnyDesk Logs
Most threat actors during ransomware incidents utilise some type of remote access tools - one of them being AnyDesk. This is a free remote access tool that threat actors download onto hosts to access them easily and also for bidirectional file transfer.
There are two locations for where AnyDesk logs are stored on the Windows file system:
Forensic analysis of these logs reveal interesting pieces of information inside the "ad.trace" log:
- Remote IP where the actor connected from
- File transfer activity
Inside the "ad.trace" log you can grep for the following term "External address" and this should reveal the following line pasted below. I have redacted the IP for privacy's sake:
Similarly, inside the "ad.trace" logs under each users' %appdata% folder you should be grepping for the terms "files" and "app.prepare_task". This will reveal to you, from which folder the files are being copied from and also the number of files copied. In the screenshot below, 1 file was copied from the host to the remote host and it shows you the directory it was taken from: