Home Videos RDP Cache Forensics

RDP Cache Forensics

0
0
1,196

As a continuation of the “Introduction to Windows Forensics” series, this video introduces Remote Desktop Protocol (RDP) Cache Forensics. Did you know that when you use the mstsc.exe RDP client on Windows, cache is stored within your user profile? The cache consists of compressed bitmap data that you’ll need to extract before being able to view it. The purpose of the cache, as you might imagine, is to improve performance by storing sections of the screen that infrequently change.

In this video, Richard Davis will show you a tool that can extract these bitmap files, allowing us to reassemble sections of the screen manually (not unlike putting together a puzzle). You can often glean data such as file names, icons, backgrounds, and various other data that could be useful in helping us determine the actions of a given user (or at the very least, help focus your investigation).

Load More Related Articles
  • RDP Event Log Forensics

    As a continuation of the “Introduction to Windows Forensics” series, this epis…
  • Windows Process Genealogy

    As an incident responder, one of the things you need to be able to quickly do when looking…
  • Event Log Forensics with Log Parser

    As a continuation of the “Introduction to Windows Forensics” series, this vide…
Load More In Videos

Leave a Reply

Your email address will not be published. Required fields are marked *