RDP Cache

Introduction

The RDP Cache stores small bitmap images from active Remote Desktop Protocol (RDP) sessions. These bitmaps provide valuable forensic evidence, capturing snapshots of what was viewed or interacted with during an RDP session. They are particularly useful for investigating lateral movement and reconstructing attacker activities on compromised systems.

Location of RDP Cache Files

The RDP cache files are stored in a user-specific directory:

C:\Users\<username>\AppData\Local\Microsoft\Terminal Server Client\Cache

Use Cases of RDP Cache Analysis

  • Identify Lateral Movement: Track attacker actions across systems during RDP sessions.

  • Visualize Attacker Actions: Reconstruct what the attacker interacted with, such as file systems, command lines, or sensitive documents.

  • Reconstruct Evidence: Discover commands executed, tools deployed, and sensitive data accessed.

Tools for RDP Cache Analysis

1. BMC Tools

BMC Tools is a Python-based utility that extracts and converts RDP cache files into readable bitmap images.

Command:

python3 bmc-tools.py -s "C:\path\to\cache" -d "C:\path\to\results" -b

  • -s: Source directory containing cache files.

  • -d: Destination directory for extracted images.

  • -b: Generates a collage summarizing all bitmaps.

Output:

  • Individual bitmap images (representing small screenshots from the session).

  • A collage summarizing all extracted images for quick visualization.

Example Findings:

  • Commands Executed: Screenshots of whoami or ipconfig commands.

  • Sensitive Files: Images showing access to files like Regshot or credential dumps.

  • Web Activity: Evidence of visited websites (e.g., GitHub).

2. RDP Cache Stitcher

RDP Cache Stitcher helps in reconstructing coherent screenshots from fragmented bitmap images.

Steps:

  1. Open RDP Cache Stitcher.

  2. Create a new case and load the folder containing bitmap images.

  3. Analyze and piece together meaningful screenshots.

Advantages:

  • Aligns fragmented bitmaps to form complete screenshots.

  • Provides a clearer, structured view of the attacker’s session.

  • Reduces the manual effort required for interpreting individual images.

Analysis Workflow

1. Extract Cache Files

  • Use BMC Tools to convert cache files into bitmap images.

  • Start with the collage for a high-level overview of the session.

2. Manual Image Inspection

  • Open all extracted images in a file explorer for a quick visual summary.

  • Focus on identifying key activities:

    • Opened folders.

    • Executed commands.

    • Accessed sensitive files.

3. Use RDP Cache Stitcher

  • Load fragmented images into RDP Cache Stitcher.

  • Reconstruct meaningful screenshots to visualize the session comprehensively.

Forensic Value of RDP Cache Analysis

  1. Timeline Reconstruction:

    • Identify when specific actions occurred during an RDP session.

    • Correlate with event logs for precise activity timelines.

  2. Behavioral Insights:

    • Uncover the attacker’s objectives (e.g., credential harvesting, data exfiltration).

    • Understand their workflow and decision-making during lateral movement.

  3. Corroborate Evidence:

    • Validate findings from other forensic artifacts, such as:

      • Event logs.

      • Registry keys.

      • Network traffic.

RDP Cache Analysis provides a window into an attacker’s actions during remote sessions. Despite its time-intensive nature, it delivers critical insights, especially in cases of lateral movement and internal reconnaissance. By using automated tools like BMC Tools and RDP Cache Stitcher, investigators can efficiently reconstruct attacker behavior and develop a comprehensive timeline of malicious activities.

PreviousRecycle Bin ArtifactsNextThumbnail Cache

Last updated