RDP Persistent Bitmap Cache

WindowsUser ActivityDisk Image

Location

C:\Users\<username>\AppData\Local\Microsoft\Terminal Server Client\Cache\bcache*.bmc and cache*.bin

Description

Cached 64x64 pixel bitmap tiles from Remote Desktop Protocol sessions stored locally on the RDP client machine. These tiles represent fragments of the remote desktop display that can be reconstructed into partial screenshots.

Forensic Value

RDP bitmap cache provides visual evidence of what an attacker saw and did during remote desktop sessions, even if the remote server has been wiped or encrypted by ransomware. Tiles can be reconstructed into partial screenshots showing open applications, file listings, command prompts, and sensitive data displayed on the remote desktop. This evidence survives on the source machine regardless of the state of the destination machine.

Tools Required

bmc-toolsRDP Bitmap Cache ParserKAPEAutopsy

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target RDPCache

bmc-tools

python3 bmc-tools.py -s "C:\Users\<username>\AppData\Local\Microsoft\Terminal Server Client\Cache\" -d C:\output\rdp_bitmaps -b

PowerShell

Copy-Item "C:\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*" -Destination C:\output\RDP_Cache\

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1021.001T1113

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote