# RDP Cache Forensics #### What is RDP bitmap cache? When a user connects to another system using RDP, small size (bitmap) images are stored in their RDP profile files, so that once the same image is to be used in the session it can be fetched/pulled quicker. And the overall RDP session experience is enhanced in case of a slow connection. This artifact can help us sometimes in identifying what was the user seeing in their RDP sessions. ### Where to find the cache and parsing it ``` C:\Users\\AppData\Local\Microsoft\Terminal Server Client\Cache ``` **RDP Bitmap Cache Parsing Tools** > bmc-tools.py {% embed url="" %} ``` ./bmc-tools.py -s cache0000 -d cache0000_parsed -b ``` it generates a collage which aggregates all of the tiles to give you a quick and easy way to view the entirety of the output.

#### RDP Cache Stitcher

{% embed url="" %} *RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps. Using raw RDP cache tile bitmaps extracted by tools like e.g. ANSSI's BMC-Tools () as input, it provides a graphical user interface and several placement heuristics for stitching tiles together so that meaningful images or even full screenshots can be reconstructed*

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xmedhat.gitbook.io/whoami/writesup/rdp-cache-forensics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.