AnyDesk

Appsv1.5

Author: Andrew Rathbun, Scott Hanson, and Nicole Jao

description

AnyDesk

paths

11 paths

CommunicationsAnyDesk Logs - User Profile - *.trace

C:\Users\%user%\AppData\Roaming\AnyDesk\*.trace

Collects the trace logs for AnyDesk from a user profile

CommunicationsAnyDesk Logs - ProgramData - *.trace

C:\ProgramData\AnyDesk\*.trace

Collects the trace logs for AnyDesk from ProgramData

CommunicationsAnyDesk Logs - User Profile - *.conf

C:\Users\%user%\AppData\Roaming\AnyDesk\*.conf

Collects the conf logs for AnyDesk from a user profile

CommunicationsAnyDesk Logs - ProgramData - *.conf

C:\ProgramData\AnyDesk\*.conf

Collects the conf logs for AnyDesk from ProgramData

CommunicationsAnyDesk Videos

C:\Users\%user%\Videos\AnyDesk\*.anydesk

Collects any session recordings made by the user while using AnyDesk

CommunicationsAnyDesk Logs - User Profile - connection_trace.txt

C:\Users\%user%\AppData\Roaming\AnyDesk\connection_trace.txt

Collects the connection trace log from user profile

CommunicationsAnyDesk Logs - ProgramData - connection_trace.txt

C:\ProgramData\AnyDesk\connection_trace.txt

Collects the connection trace log from ProgramData

CommunicationsAnyDesk Logs - System User Account

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\

Collects the logs associated with the System user account

CommunicationsAnyDesk Chat Logs - User Profile

C:\Users\%user%\AppData\Roaming\AnyDesk\chat*.txt

Collects chat logs associated with the user profile

CommunicationsAnyDesk File Transfer Logs - Running in portable mode

C:\Users\%user%\AppData\Roaming\AnyDeskfile_transfer_trace.txt

Collects file transfer logs that occur when running in portable mode

CommunicationsAnyDesk File Transfer Logs - Installed as a Service

C:\ProgramData\AnyDesk\file_transfer_trace.txt

Collects file transfer logs that occur when running as an installed service

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: AnyDesk
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. AnyDesk Logs - User Profile - *.trace
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\AnyDesk\"
Collect-Artifact -SourcePath "$UserPath\*.trace" -FolderName "AnyDesk_Logs___User_Profile_____trace"

# 2. AnyDesk Logs - ProgramData - *.trace
Collect-Artifact -SourcePath "C:\ProgramData\AnyDesk\\*.trace" -FolderName "AnyDesk_Logs___ProgramData_____trace"

# 3. AnyDesk Logs - User Profile - *.conf
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\AnyDesk\"
Collect-Artifact -SourcePath "$UserPath\*.conf" -FolderName "AnyDesk_Logs___User_Profile_____conf"

# 4. AnyDesk Logs - ProgramData - *.conf
Collect-Artifact -SourcePath "C:\ProgramData\AnyDesk\\*.conf" -FolderName "AnyDesk_Logs___ProgramData_____conf"

# 5. AnyDesk Videos
$UserPath = Join-Path $env:USERPROFILE "Videos\AnyDesk\"
Collect-Artifact -SourcePath "$UserPath\*.anydesk" -FolderName "AnyDesk_Videos"

# 6. AnyDesk Logs - User Profile - connection_trace.txt
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\AnyDesk\"
Collect-Artifact -SourcePath "$UserPath\connection_trace.txt" -FolderName "AnyDesk_Logs___User_Profile___connection_trace_txt"

# 7. AnyDesk Logs - ProgramData - connection_trace.txt
Collect-Artifact -SourcePath "C:\ProgramData\AnyDesk\\connection_trace.txt" -FolderName "AnyDesk_Logs___ProgramData___connection_trace_txt"

# 8. AnyDesk Logs - System User Account
Collect-Artifact -SourcePath "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\\*" -FolderName "AnyDesk_Logs___System_User_Account"

# 9. AnyDesk Chat Logs - User Profile
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\AnyDesk\chat"
Collect-Artifact -SourcePath "$UserPath\*.txt" -FolderName "AnyDesk_Chat_Logs___User_Profile"

# 10. AnyDesk File Transfer Logs - Running in portable mode
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\AnyDesk"
Collect-Artifact -SourcePath "$UserPath\file_transfer_trace.txt" -FolderName "AnyDesk_File_Transfer_Logs___Running_in_portable_mode"

# 11. AnyDesk File Transfer Logs - Installed as a Service
Collect-Artifact -SourcePath "C:\ProgramData\AnyDesk\\file_transfer_trace.txt" -FolderName "AnyDesk_File_Transfer_Logs___Installed_as_a_Service"

Write-Host "Collection complete!" -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1