As a continuation of the “Introduction to Windows Forensics” series, this video introduces Remote Desktop Protocol (RDP) Cache Forensics. Did you know that when you use the mstsc.exe RDP client on Windows, cache is stored within your user profile? The cache consists of compressed bitmap data that you’ll need to extract before being able to view it. The purpose of the cache, as you might imagine, is to improve performance by storing sections of the screen that infrequently change.
In this video, Richard Davis will show you a tool that can extract these bitmap files, allowing us to reassemble sections of the screen manually (not unlike putting together a puzzle). You can often glean data such as file names, icons, backgrounds, and various other data that could be useful in helping us determine the actions of a given user (or at the very least, help focus your investigation).