Forensic Analysis of File Exfiltrations Using AnyDesk, TeamViewer and Chrome Remote Desktop

The use of remote desktop applications has increased greatly in recent years, mainly because of the generalization of telecommuting due to the COVID-19 pandemic. This process has been carried out in a very controlled manner in some companies, but in other organizations it has been introduced in a mo...

Full description

Saved in:
Bibliographic Details
Published in:Electronics (Basel) 2024-04, Vol.13 (8), p.1429
Main Authors: G. Pañeda, Xabiel, Melendi, David, Corcoba, Víctor, G. Pañeda, Alejandro, García, Roberto, García, Dan
Format: Article
Language:English
Subjects:
Access control
Computer industry
Computers
COVID-19
Data loss
Electronic evidence
Employees
Epidemics
Internet access software
Internet service providers
Market positioning
Market shares
Meetings
Officials and employees
Pandemics
Questions
Remote searching
Software
Telecommuting
United States
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The use of remote desktop applications has increased greatly in recent years, mainly because of the generalization of telecommuting due to the COVID-19 pandemic. This process has been carried out in a very controlled manner in some companies, but in other organizations it has been introduced in a more anarchic way. The direct use of on-premises company computers and resources from the internet without the necessary protection mechanisms, including VPNs, has increased the risk of data exfiltration. Apart from other types of data exfiltration, there are cases in which employees transfer files using encrypted communications, consciously or unconsciously, producing a leak of information undetected by data loss prevention systems. In this paper we analyse the question of whether a forensic investigation may answer questions about data exfiltrations; questions such as those regarding the when, what and who (or to whom) and the use of application logs and other available tools. The answers to these questions may form the basis of solid digital evidence for legal purposes, though they may only deliver a partial response to said questions. Other complementary sources are necessary to build a complete answer and accurate digital evidence. Nevertheless, we have identified and analysed several use cases that may help to raise an early alarm that can offer warning about certain behaviours in encrypted traffic that may be detected via network monitoring.
ISSN:2079-9292
2079-9292
DOI:10.3390/electronics13081429