dissect.target.plugins.apps.remoteaccess.teamviewer

Module Contents

Classes

TeamViewerPlugin

TeamViewer client plugin.

Functions

parse_start

TeamViewer Start messages can be formatted in different ways

Attributes

RE_LOG
RE_START

dissect.target.plugins.apps.remoteaccess.teamviewer.RE_LOG

dissect.target.plugins.apps.remoteaccess.teamviewer.RE_START

class dissect.target.plugins.apps.remoteaccess.teamviewer.TeamViewerPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugins.apps.remoteaccess.remoteaccess.RemoteAccessPlugin

TeamViewer client plugin.

References

• https://teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/contact-support/find-your-log-files

• https://www.systoolsgroup.com/forensics/teamviewer/

• https://benleeyr.wordpress.com/2020/05/19/teamviewer-forensics-tested-on-v15/

__namespace__ = 'teamviewer'

Defines the plugin namespace.

SYSTEM_GLOBS = ('sysvol/Program Files/TeamViewer/*.log', 'sysvol/Program Files (x86)/TeamViewer/*.log',...

USER_GLOBS = ('AppData/Roaming/TeamViewer/teamviewer*_logfile.log',...

RemoteAccessLogRecord

logfiles: set[tuple[str, dissect.target.plugins.general.users.UserDetails | None]]

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

logs() → collections.abc.Iterator[RemoteAccessLogRecord]

Yield TeamViewer client logs.

TeamViewer is a commercial remote desktop application. An adversary may use it to gain persistence on a system.

dissect.target.plugins.apps.remoteaccess.teamviewer.parse_start(line: str) → datetime.datetime | None

TeamViewer Start messages can be formatted in different ways and might contain the timezone offset of all timestamps.

Start: 2021/11/11 12:34:56
Start: 2024/12/31 01:02:03.123 (UTC+2:00)