RDP Cache Forensics

What is RDP bitmap cache?

When a user connects to another system using RDP, small size (bitmap) images are stored in their RDP profile files, so that once the same image is to be used in the session it can be fetched/pulled quicker. And the overall RDP session experience is enhanced in case of a slow connection. This artifact can help us sometimes in identifying what was the user seeing in their RDP sessions.

Where to find the cache and parsing it

C:\Users\<username>\AppData\Local\Microsoft\Terminal Server Client\Cache

RDP Bitmap Cache Parsing Tools

bmc-tools.py

GitHub - ANSSI-FR/bmc-tools: RDP Bitmap Cache parserGitHub

./bmc-tools.py -s cache0000 -d cache0000_parsed -b

it generates a collage which aggregates all of the tiles to give you a quick and easy way to view the entirety of the output.

RDP Cache Stitcher

GitHub - BSI-Bund/RdpCacheStitcher: RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.GitHub

RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps. Using raw RDP cache tile bitmaps extracted by tools like e.g. ANSSI's BMC-Tools (https://github.com/ANSSI-FR/bmc-tools) as input, it provides a graphical user interface and several placement heuristics for stitching tiles together so that meaningful images or even full screenshots can be reconstructed