RDP Cache Forensics
Вставка
- Опубліковано 25 лип 2024
- As a continuation of the "Introduction to Windows Forensics" series, this video introduces Remote Desktop Protocol (RDP) Cache Forensics. Did you know that when you use the mstsc.exe RDP client on Windows, cache is stored within your user profile? The cache consists of compressed bitmap data that you’ll need to extract before being able to view it. The purpose of the cache, as you might imagine, is to improve performance by storing sections of the screen that infrequently change.
In this video, we’ll take a look at a tool that can extract these bitmap files, allowing us to reassemble sections of the screen manually (not unlike putting together a puzzle). We can often glean data such as file names, icons, backgrounds, and various other data that could be useful in helping us determine the actions of a given user (or at the very least, help focus our investigation).
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
Introduction to Windows Forensics:
• Introduction to Window...
BMC-Tools:
github.com/ANSSI-FR/bmc-tools
RDP Cached Bitmap Extractor:
www.guidancesoftware.com/app/...
Background Music Courtesy of Modern Vintage Gamer:
/ modernvintagegamer
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics - Наука та технологія
Thanks for these series, they are excellent.
Great video, Helped me a ton! Keep it up !
Great video, it really helped me a lot
Very informative Sir
Thank you for the video
Thank you sir
Thanks For The Video...........
The issue here is that if an attacker uses an RDP connection to my host, I can't view this data because it's only available on their machine.
Yes, but if an attacker moves laterally *within* your environment, the system from which the RDP connection was initiated would have the cache. This has proved useful for me on many occasions.
Can we find this cache files after imaging the system?
Not sure I understand your question?
@@13Cubed will this cache get erased after removing hdd?
@@ratechsolution2088 If you delete the data on the hard drive after you pull it out, yes. Otherwise the data will remain intact on the drive. I'm still not sure I understand what you are asking.
Hi, when execute the bmc script i've this error "unexpected bpp(0)..", you know what happening please ?
Looking at the code, it appears as if the cache you are attempting to analyze is corrupt, or otherwise unable to be parsed by the utility (possibly of unexpected size). Can you try RDP cache from an alternate machine and see if you receive the same results?
13Cubed the cache than i should analyse become from forensic challenge of root-me and i dont think it's corrupted. But i can on the wrong way you know which metod/tools i can used for detect corruption ? And i dont have another bmc file for test, i try found this later (it's 1am for me ^^ )
And yes i've already check integrity and it's ok, my bmc file are 9mo. Excuse me i reply with wrong account.
Interesting. I would suggest another tool, but there really isn't one to my knowledge (besides EnScripts). I haven't had any issues with the tool to this point, so unfortunately I'm afraid I can't be of much help.
13Cubed no problem thank you for your answer, anyway your vidéo are really cool Good job.