Forensic Analysis of File Exfiltrations Using AnyDesk, TeamViewer and Chrome Remote Desktop

Round 1

Reviewer 1 Report

While I don’t doubt it has been a disorderly transition (based on my own anecdotal experience), are there any industry reports, if there aren’t academic sources, to back up this central assumption in the opening paragraph? I would assume there is, and so this should then be cited as it is a clear motivation within the paper.

Are there any statistics available for the adoption/marketshare of Teamviewer, AnyDesk or Chrome RD? Again, the choice of these should be backed up/justified more strongly beyond the opinion of “ease of use” without source. Later on you mention the use of RealVNC, TightVNC, Webex and GoToMeeting I have heard of each before and used one of, yet not of these are considered in your work? Even as you have said the study is now outdated as the applications have been improved.

Can you clarify what normal traffic looks like from the systems, vs file transfer. i.e the description of frequency of acknowledgement packets, and things like Figure 3 don’t really give a clear picture of what the normal traffic flow, with acknowledgments is for just viewing the desktop remotely vs when a file is transferred.

Table 1 line spacing looks bad, likewise the use of a justification and font size. It is basically unreadable – while technically readable, it was not nice to do so, so I didn’t bother. I suspect most readers would be the same.

507 – any evidence to prove that they are not willing to without a warrant?

There is some clunky / casual phrasing in the document - also some missing commas / odd sentence structures. I think a good proofread from someone not involved in the writing (with good English) could likely do track changes on grammar issues.

Author Response

Thank you very much for your review!

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 2 Report

This research contributes to the field of cybersecurity by highlighting the importance of forensic investigation in detecting data exfiltration through encrypted communications. The writing is well structured. I think it can be published after a minor editing of grammar and format. 

The English language is fine.

Author Response

Thank you very much for your review!!

The text has been reviewed by a native English (British) speaker.

Reviewer 3 Report

The paper studies 3 remote desktop applications (i.e. TeamViewer, AnyDesk and Chrome Remote Desktop) with focusing on file exfiltrations, and presents some highlights. It will provide valuable references for developing, employing and forensic analysis. It will be better if you analyze them from the respective of forensic analysis truly. E.g. if you can get the dependable evidences upon file exfiltrations. If no, what methods you can take more  to guarrentee this. Or, you can give some suggestions to employ  remote desktop applications.

Author Response

Thank you very much for your review.

The first observation is very interesting. In our experience, it very infrequent to have irrefutable evidence about a user activity. Evidence is usually weak or strong, but it is very rarely irrefutable. The traditional approach is then to gather diverse information from different sources to backup an accusation with solid evidence. For instance, a connection made from a certain location, with a computer owned by a certain user and successful authentication operations of that same user using multi-factor authentication. A single separate indication of a certain activity is weak evidence when compared with several records pointing towards the same direction. In our paper, we have analysed different sources of forensic information including:

• Log information produced by remote desktop applications
• Log information generated by the operating system used by the user
• Traffic profiles identifying a potential exfiltration in encrypted traffic

These details, combined with other complementary sources of information, may produce strong evidence for an accusation. We have tried to explain this in the conclusions section as follows:

… The answers to these questions may be the base of solid digital evidence for legal purposes. Nevertheless, our findings only deliver a partial response to said questions, thus, other complementary sources are necessary to build a complete answer and strong digital evidence. This includes inventory information, details of connections performed from a certain location or authentication logs in corporate services.

Regarding the suggestions to employ remote desktop applications, this paper tries to establish the evidence of file exfiltrations performed using three well known systems. It may be used in data leak investigations, when these applications are used in a corporation. This may happen because the organization is using these systems, or because an employee has been able to install them to exfiltrate files (we have worked in several cases like this). Nevertheless, the goal of the study is not to establish best practices on the deployment of these systems or about implementing security policies. It is a reference for system administrators and expert witnesses about what may be found and were it may be found.

Reviewer 4 Report

Thank you for your effort.

I have some comments that must be considered in the modified manuscript.

------------------------------------------------------

1) The "Abstract" is very qualitative and has no numerical values. 

2) In general, I do not see any numerical values.

3) The paper must include a "Conclusion" section.

4) The paper depends on screens and the concept is not well defined at first. Please, before going on, tell the reader the concept you follow to perform your work.

5) I do not see any comparison with any previously published work in the same field. I mean comparing results. So, how do you evaluate your work and your results.

Author Response

Thank you very much for your review!

Please see the attachment.

Author Response File: Author Response.pdf

Round 2

Reviewer 4 Report

Thank you for considering comments.

From my side, NO more action is needed.