In this post we will share findings from testing GoToMeeting software when used to chat, share screens and give control of your screen to other participants. Special credits to Gabriel Quiroz for performing a substantial amount of this testing, as well as validating many of my findings.
GoTo has numerous products, one of which was formerly known as LogMeIn and is now known as GoToMeeting. The scope of this testing was limited to GoToMeeting (aka G2M). The scope is further limited to the downloadable software and does not include hosting meetings via a web browser.
Testing was conducted on a Windows 10 21H2 as the meeting host and using the 3.34.0.1 of the GoToMeeting software.
| Action | Evidence | Analysis |
|---|---|---|
| GoToMeeting Launched | Command line string “GoTo.exe” which also include the words “–type=crashpad-handler”. This is evidence of the Chromium-based GoTo.exe starting to join or host a meeting. Some versions below 3.34.0.1 were not Chromium based. | A high frequency of occurrence could be indicative of a user outsourcing their job. Additional evidence needed to verify. |
| GoToMeeting Meeting Started by Host | Command line strings “g2mstart.exe” or “GoTo.exe” or “g2mcomm.exe” which also include the words “Action” AND “Host” | A high frequency of occurrence could be indicative of a user outsourcing their job. Additional evidence needed to verify. |
| G2M Screen Sharing | Command line strings “GoToScrUtils.exe” or “g2mui.exe” or “G2MScrUtil64.exe” which also include the string “/cr”. Based on our testing, this indicates GoTo is being used to share a screen. | Screen sharing via G2M may or may not be authorized in your organization. If authorized, frequent/daily screen sharing may represent an insider risk. |
| Guest WebCam Turned On | The goto.log file will indicate another participant turns on their webcam with a line similar to: [2023-02-28T21:55:57.659Z -05:00] [info] [context] me_numberOfWebcamsReceived= 1 | The number will increment as additional participants turn on their cameras. |
| Remote Control | GoTo logs most important events in the users AppData folder as follows: “C:\Users\\AppData\Roaming\GoTo\Logs\goto.log” OR “C:\Users\\AppData\Roaming\GoTo\Logs\goto.old.log”. | Search for strings referencing the keyword “remoteControl” |
| 3rd Party joining the session | GoToMeeting indicates the number of attendees on a meeting. Use string search to search for the number of attendees joining the session. | Correlate the timestamp observed in the evidence of remote control to the evidence of an increase in the number of attendees. A sample showing the increase in the number of attendees is shown below. |
| External Participants | The goto.log file can be searched for “displayName” to determine the identity of the meeting participants. | The “dialDirection”:”In” signifies the participant is not the host.  |
| GoToMeeting Recordings | Testing has shown GoToMeeting recordings will be written to User’s default Documents folder as *.webm files.  Additionally, web traffic observed to | These can be played with windows media player. If meeting was viewed by an untrusted party, data leakage may have occurred. Review the videos to assess. The timestamp in the filename indicates the local time the recording began. The file “last modified” time is roughly when the recording ended. |
| GoToMeeting Cloud Recordings | 1. Alternatively, if cloud based recordings are used, the goto.log file will contain the string “cloud-based recording” 2. Additionally, an email will be sent to the host user with subject like “Your interactive recording is ready!” 3. Further, the email will contain a link to the recording with a URL starting with https://transcripts.gotomeeting.com. | 1. Examiner should seek to views these videos for further evidence, especially relating to data loss to an untrusted meeting participant and/or GoToMeeting cloud. 2. Email logs can be search for this subject. 3. Proxy logs can be reviewed for visits to this domain. |
dfirtnt.wordpress.com 
One thought on “GoToForensics”