RDP Persistent Bitmap Cache

windowsUser ActivityDisk Image

Location

C:\Users\<username>\AppData\Local\Microsoft\Terminal Server Client\Cache\bcache*.bmc and cache*.bin

Description

Cached 64x64 pixel bitmap tiles from Remote Desktop Protocol sessions stored locally on the RDP client machine. These tiles represent fragments of the remote desktop display that can be reconstructed into partial screenshots.

Forensic Value

RDP bitmap cache provides visual evidence of what an attacker saw and did during remote desktop sessions, even if the remote server has been wiped or encrypted by ransomware. Tiles can be reconstructed into partial screenshots showing open applications, file listings, command prompts, and sensitive data displayed on the remote desktop. This evidence survives on the source machine regardless of the state of the destination machine.

Tools Required

bmc-toolsRDP Bitmap Cache ParserKAPEAutopsy

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical