RDP Cache Forensics
As a continuation of the "Introduction to Windows Forensics" series, this video introduces Remote Desktop Protocol (RDP) Cache Forensics. Did you know that when you use the mstsc.exe RDP client on Windows, cache is stored within your user profile? The cache consists of compressed bitmap data that you’ll need to extract before being able to view it. The purpose of the cache, as you might imagine, is to improve performance by storing sections of the screen that infrequently change.
In this video, we’ll take a look at a tool that can extract these bitmap files, allowing us to reassemble sections of the screen manually (not unlike putting together a puzzle). We can often glean data such as file names, icons, backgrounds, and various other data that could be useful in helping us determine the actions of a given user (or at the very least, help focus our investigation).
*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***
Introduction to Windows Forensics:
https://www.youtube.com/watch?v=VYROU-ZwZX8
BMC-Tools:
https://github.com/ANSSI-FR/bmc-tools
RDP Cached Bitmap Extractor:
https://www.guidancesoftware.com/app/RDP-Cached-Bitmap-Extractor
Background Music Courtesy of Modern Vintage Gamer:
https://www.youtube.com/modernvintagegamer
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
Видео RDP Cache Forensics канала 13Cubed
In this video, we’ll take a look at a tool that can extract these bitmap files, allowing us to reassemble sections of the screen manually (not unlike putting together a puzzle). We can often glean data such as file names, icons, backgrounds, and various other data that could be useful in helping us determine the actions of a given user (or at the very least, help focus our investigation).
*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***
Introduction to Windows Forensics:
https://www.youtube.com/watch?v=VYROU-ZwZX8
BMC-Tools:
https://github.com/ANSSI-FR/bmc-tools
RDP Cached Bitmap Extractor:
https://www.guidancesoftware.com/app/RDP-Cached-Bitmap-Extractor
Background Music Courtesy of Modern Vintage Gamer:
https://www.youtube.com/modernvintagegamer
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
Видео RDP Cache Forensics канала 13Cubed
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
![](https://i.ytimg.com/vi/Ql3GToEEaVU/default.jpg)
![Persistence Mechanisms](https://i.ytimg.com/vi/ImGaqVHAbCk/default.jpg)
![How Einstein's Brain Is Different Than Yours](https://i.ytimg.com/vi/rnlE9q5IEuI/default.jpg)
![Nmap - HTTP Enumeration - Finding Hidden Files And Directories](https://i.ytimg.com/vi/EdQXCbyW5gs/default.jpg)
![DFIR in 120 seconds - Prefetch](https://i.ytimg.com/vi/LA3M3aor6Mo/default.jpg)
![](https://i.ytimg.com/vi/bKeqfR8RCTM/default.jpg)
![RDP Event Log Forensics](https://i.ytimg.com/vi/myzG11BP3Sk/default.jpg)
![OCR'ing the Bitmap Cache Puzzle | Drew Luckenbaugh](https://i.ytimg.com/vi/vItGi9rjnhw/default.jpg)
![No Place To Hide [easy] - HackTheBox Forensics Challenge](https://i.ytimg.com/vi/FLI57MWfIBU/default.jpg)
![Windows SRUM Forensics](https://i.ytimg.com/vi/Uw8n4_o-ETM/default.jpg)
![Finding Evil with YARA](https://i.ytimg.com/vi/mQ-mqxOfopk/default.jpg)
![Let's Talk About Shimcache - The Most Misunderstood Artifact](https://i.ytimg.com/vi/7byz1dR_CLg/default.jpg)
![osquery Basics: osquery & SQL](https://i.ytimg.com/vi/v9bK8_pZNwo/default.jpg)
![Remove Bad Sectors From Hard Disk (Data Recovery)(dposoft HDD Regenerator)](https://i.ytimg.com/vi/2n_kyuQHNmA/default.jpg)
![Puzzling RDP Cache - Putting the Pieces Together](https://i.ytimg.com/vi/9P845AMjJF0/default.jpg)
![Using FTK Imager to obtain NTUSER dat and then Registry Viewer for UserAssist registry key analysis](https://i.ytimg.com/vi/gLAyejgJ3Qs/default.jpg)
![RDP Hashes - Event ID 1029 Explained](https://i.ytimg.com/vi/qxPoKNmnuIQ/default.jpg)
![Take The RDP Short Path | Windows Virtual Desktop](https://i.ytimg.com/vi/zEcTNYuSmhM/default.jpg)
![Cellebrite Mobile Forensics Tool Demonstration](https://i.ytimg.com/vi/5fEYqpJ6Mrw/default.jpg)
![How to clear cache from PC?](https://i.ytimg.com/vi/XkyvqWuH3Cg/default.jpg)