DIGITAL FORENSICS: RDP CACHE II

What is RDP bitmap cache?

RDP (Remote Desktop Protocol) bitmap cache is a feature used by the Remote Desktop Protocol to enhance the performance and efficiency of remote desktop sessions. When you connect to a remote computer using RDP, the protocol transfers graphical data from the remote system to your local machine. To optimize this process, RDP uses bitmap caching to store frequently used images and graphical elements on the local client machine.

Forensic Implications of RDP Bitmap Cache

In the context of digital forensics, RDP bitmap cache files can be valuable sources of evidence. They may contain remnants of the remote desktop sessions, including snapshots of the graphical data displayed during the session. Forensic analysts can extract and analyze these cached images to gain insights into user activities and interactions with the remote system.

1. User Activity Reconstruction:

   • By examining the bitmap cache, forensic investigators can reconstruct the actions performed by a user during an RDP session. This can include viewing specific windows, applications, and documents, which may be crucial in investigations involving unauthorized access or data exfiltration.

2. Timeline Analysis:

   • Cached bitmaps can help establish a timeline of events by correlating the cached images with other digital artifacts, such as system logs and file access records. This can provide a comprehensive view of the sequence of activities during a remote session.

3. Identifying Malicious Activities:

   • If an attacker uses RDP to access a system, the bitmap cache may contain evidence of malicious actions, such as opening sensitive files, executing commands, or installing malware. Analyzing the cache can aid in identifying and attributing such activities.

Tools for Analyzing RDP Bitmap Cache

Several forensic tools can be used to analyze RDP bitmap cache files, including:

1. FTK Imager: A versatile forensic imaging tool that can be used to capture and analyze bitmap cache files.
2. BMC-Tools: processes bcache*.bmc and cache????.bin files found inside Windows user profiles.
3. Sleuth Kit and Autopsy: Open-source digital forensics tools that can be used to analyze various types of digital evidence, including bitmap cache files.

Overall, RDP bitmap cache is a significant feature for optimizing remote desktop performance and a valuable source of evidence in digital forensic investigations.

RDP Bitmap Cache Location

C:\Users\<username>\AppData\Local\Microsoft\Terminal Server Client\Cache

bmc-tools used command

#python bmc-tools.py -s /home/kali/Desktop/6870 -Cache -d /home/kali/Desktop/bmc-tools-master/Output/

mkdir to create a folder that contains the output of bmc-tools script

-s to point to RDP bitmap cache folder

Challenge: We suspect that the network has been compromised and the threat actor is copying (exfiltrating) files from one system to another.

         RDP Cache

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud