Meanwhile, the "Cache" files will be generated with each session on the system. Just know that the higher the number appended to the bcache, the higher the quality of the bitmap images generated. The "bcache" files will have numbers appended to the end - either a 2, 22 or 24 which represent the quality of the images. The first will be a file named "bcache.bmc" and the others will be "Cachexxxx.bin" with the X's replaced by numbers - i.e. Under this folder you'll see potentially a few different files. Starting from Windows 7 and up you'll find the RDP Bitmap Cache in the following location: C:\Users\\AppData\Local\Microsoft\Terminal Server Client\Cache\ then that's where the RDP Bitmap Cache comes into play. However, if they happen to use RDP on a system within the victim's network to laterally move. The one caveat is that these images are only stored on the client and not on the server facilitating the connection, so if a threat actor is using their own system to RDP to a host then these files won't be available for analysis. This is a legacy function from back in the days when internet was extremely slow (think dial up) and RDP sessions were sluggish at best. What does this mean in plain English? Basically, images are stored locally on the client system to speed up sessions and reduce latency by preventing the same images from being loaded more than once. If a bitmap does not fit into a single cache entry, the server uses a tiling algorithm to divide the bitmap into tiles that will fit into the cache entries so that they can be stored separately into the cache." Each bitmap cache holds bitmaps of a specified size in pixels (known as the "tile size"). So, first thing's first: What is the RDP Bitmap Cache?Īccording to the official Microsoft documentation: " Bitmap caches are used by the client and server to store graphic bitmaps. The RDP Bitmap Cache is a forensic artifact that's rarely spoken of, but can yield some quick wins in an investigation. Look no further than the RDP Bitmap Cache! What is the RDP Bitmap Cache? What do you do when you're conducting a forensic investigation and you know the threat actor RDP'd into a system, but you're essentially blind to most of their activities because you have virtually no logs available to prove what they actually did on the system?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |