RDP Cache Forensics
iSpeech
As a continuation of the "Introduction to Windows Forensics" series, this video introduces Remote Desktop Protocol (RDP) Cache Forensics. Did you know that when you use the mstsc.exe RDP client on Windows, cache is stored within your user profile? The cache consists of compressed bitmap data that you’ll need to extract before being able to view it. The purpose of the cache, as you might imagine, is to improve performance by storing sections of the screen that infrequently change.
In this video, we’ll take a look at a tool that can extract these bitmap files, allowing us to reassemble sections of the screen manually (not unlike putting together a puzzle). We can often glean data such as file names, icons, backgrounds, and various other data that could be useful in helping us determine the actions of a given user (or at the very least, help focus our investigation).
*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***
Introduction to Windows Forensics:
BMC-Tools:
https://github.com/ANSSI-FR/bmc-tools
RDP Cached Bitmap Extractor:
https://www.guidancesoftware.com/app/RDP-Cached-Bitmap-Extractor
Background Music Courtesy of Modern Vintage Gamer:
https://www.youtube.com/modernvintagegamer
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
video, sharing, camera phone, video phone, free, upload
2018-02-12 12:22:13
source
Gloss