AnyDesk
Author: Andrew Rathbun, Scott Hanson, and Nicole Jao
description
AnyDesk
paths
collection commands
# PowerShell Artifact Collection Script
# Target: AnyDesk
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# 1. AnyDesk Logs - ProgramData - *.trace
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "*.trace" -FolderName "AnyDesk_Logs_ProgramData_trace"
# 2. AnyDesk Logs - ProgramData - *.conf
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "*.conf" -FolderName "AnyDesk_Logs_ProgramData_conf"
# 3. AnyDesk Logs - ProgramData - connection_trace.txt
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "connection_trace.txt" -FolderName "AnyDesk_Logs_ProgramData_connection_trace_txt"
# 4. AnyDesk Logs - System User Account
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk" -FolderName "AnyDesk_Logs_System_User_Account"
# 5. AnyDesk File Transfer Logs - Installed as a Service
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "file_transfer_trace.txt" -FolderName "AnyDesk_File_Transfer_Logs_Installed_as_a_Service"
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# AnyDesk Logs - User Profile - *.trace
$UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
Collect-Artifact -SourceDir $UserPath -FileMask "*.trace" -FolderName "AnyDesk_Logs_User_Profile_trace_$UserName"
# AnyDesk Logs - User Profile - *.conf
$UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
Collect-Artifact -SourceDir $UserPath -FileMask "*.conf" -FolderName "AnyDesk_Logs_User_Profile_conf_$UserName"
# AnyDesk Videos
$UserPath = "$($_.FullName)\Videos\AnyDesk"
Collect-Artifact -SourceDir $UserPath -FileMask "*.anydesk" -FolderName "AnyDesk_Videos_$UserName"
# AnyDesk Logs - User Profile - connection_trace.txt
$UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
Collect-Artifact -SourceDir $UserPath -FileMask "connection_trace.txt" -FolderName "AnyDesk_Logs_User_Profile_connection_trace_txt_$UserName"
# AnyDesk Chat Logs - User Profile
$UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk\chat"
Collect-Artifact -SourceDir $UserPath -FileMask "*.txt" -FolderName "AnyDesk_Chat_Logs_User_Profile_$UserName"
# AnyDesk File Transfer Logs - Running in portable mode
$UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
Collect-Artifact -SourceDir $UserPath -FileMask "file_transfer_trace.txt" -FolderName "AnyDesk_File_Transfer_Logs_Running_in_portable_mode_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
references
notes
AnyDesk is a remote access tool similar to TeamViewer. A user can download and run AnyDesk without actually installing it and still generate the ad.trace log.
In regards to session recordings, note that it appears only the person who is remote connecting into another person's computer can record. The person being remoted into has to allow the recording to take place via a simple, intuitive setting while a remote session is active.
Session recordings will be stored in the .anydesk file format and they can only be played with AnyDesk.
In regards to file transfers, the person remoting into a computer can choose whatever files they want to drop wherever on the user's system. Therefore, there isn't a specified folder for file transfers that occur during an AnyDesk remote session.
In regards to file_transfer_trace.txt, this file logs files being transferred and whether they were transferred successfully or cancelled. It will log the amount of MB transferred before being cancelled or successfully finishing.
When AnyDesk is installed as a service, and a file transfer occurs, and then AnyDesk is uninstalled, the file_transfer_trace.txt will still persist despite all the other above artifacts being deleted. File transfer times are recorded in UTC.
Example of file_transfer_trace.txt below:
File Manager 2024-11-08, 16:30 start upload 'kibana-8.13.4-windows-x86_64.zip' (~0 B out of 443.99 MiB)
File Manager 2024-11-08, 16:30 cancel upload 'kibana-8.13.4-windows-x86_64.zip' (~222.07 MiB out of 443.99 MiB)
File Manager 2024-11-08, 16:30 start upload 'elasticsearch-8.13.4-windows-x86_64.zip' (~0 B out of 399.78 MiB)
File Manager 2024-11-08, 16:30 start upload 'kibana-8.13.4-windows-x86_64.zip' (~0 B out of 443.99 MiB)
File Manager 2024-11-08, 16:30 finish upload 'elasticsearch-8.13.4-windows-x86_64.zip' (~399.78 MiB out of 399.78 MiB)
File Manager 2024-11-08, 16:30 finish upload 'kibana-8.13.4-windows-x86_64.zip' (~443.99 MiB out of 443.99 MiB)