RDP Bitmap Cache Forensics
Performing forensics on RDP Bitmap Cache via Hackthebox challenge
RDP Bitmap Cache
Remote Desktop Protocol (RDP) is a protocol developed by Microsoft that allows users to connect to other Windows operating systems with a graphical user interface (GUI). In order to enhance the RDP user experience and reduce the data throughput on your network, RDP Bitmap Cache was implemented.
In easy words, what this essentially does, it stores the bitmap sized images of your RDP sessions into a file so that your session reuses these images and reduces the potential lag.
The bitmaps can get stored on disk and are available for the RDP client, allowing it to load them from disk instead of waiting on the latency of the network connection.
This means that if an attacker connected to a compromised system via RDP from one of their own devices, you will not likely be able to collect this artifact. However, if an attacker decides to hop around your network, look at the source systems where the attacker is connecting from, and try to get these cache files.
The location of these files varies from different versions of Windows
For Windows XP
For Windows 7
Why analyzing Bitmap cache is important?
If an attacker is pivoting between systems in a particular environment and is leveraging Remote Desktop then, on the system where the connection is initiated you could find the bitmap cache that was stored during the attacker Remote Desktop session. After reconstructing the bitmaps, that translate what was being visualized by the attacker, it might be possible to reconstruct the bitmap puzzle and observe what was seen by the attacker while performing the Remote Desktop connections to the compromised systems.
Practical Example
Now we will perform practical forensics analysis on RDP Bitmap Cache via a challenge on Hackthebox called "No Place To Hide"
First download and unzip the challenge file. Then checking the file type
The .bmc file is created by Windows RDP Client. Checking the header of the files with strings
It has RDP8dump, we can use bmc-tools to perform forensics
Clone the above repo and run the bmc-tools.py script
The -s is for the source file i.e Cache0000.bin and -d is for the destination folder.
The script created a lot of images of the output screen. To get a better view of this, lets put together all those images in one with -b option.
This is a distorted image but it is the original image. If we look at the top we can spot our flag
Thank you for reading 😄
Last updated