Using RDP Bitmap Caches
I will open the next document, which is the RDPEGDI document, and here we have a chapter within the document with the number 220.127.116.11.1, and within this chapter, you can see “Bitmap Caches.” If I jump to this chapter, here is a document on how bitmaps are cached. Within the RDP protocol, not only bitmaps are cached, but bitmaps are cached in a way making them stored on the drive. If I switch my hat from being an administrator to the forensic investigator, every single time when I hear anything about disk storage for the cache, I must be excited, but as it means that some data will remain there and will be ready for the investigation.
If I want to find the place how the data is being stored, I can, of course, run Process Monitor. I have a filter set to MSTSC client, and here, if I run MSTSC client, if I connect to some hosts, something will happen, of course, it will be monitored. Some session is opened as some Hyper-V Manager, this place does not matter that much. It is perfectly enough for the data being collected.
Now, I can see for the cache00, and I can easily find that data being collected by process monitor. I can see a lot of ReadFile operations on cache.
If I jump to this directory (which is perfectly possible from here by “Jump to” or just by opening the proper folder), I can see I have a couple of files, and those files are connecting a cache, which is split into tiles as the cache is not just a bunch of screenshots, but is a set of tiles, like tiny puzzles.
If you open any of those files with an editor, you can see, internally, those files are containing bitmaps. If you are familiar with bitmaps, you will easily see the pattern scene that we are facing, just a bitmap stored without any compression, without any encryption or anything like this, hopefully.
Converting a cache file into sets of puzzles
I have created a tiny PowerShell script when I specify the tile size for the puzzle size – 64 is the default value for Windows 10. And then I’m going to the full file, trying to read the file chunk, then analyze it, setting $red, $green, and $blue values, then setting a pixel to the proper value, and finally, save it to the file on the drive. So I’m converting a cache file into the set of puzzles.
It may take some time as every single bit of the file must be analyzed, and we are doing this on the PowerShell, but at the same time, we have a perfect control over it. As I promised at the very beginning, I can share and I will share the script with you. If we go to the output folder, we can see for this particular file, which was freshly initiated, four sets of the data. If I browse through those, I can see parts of the image user had on his desktop.
Is it like ready to use proof for the cord, or some other very strict scenarios? Of course not, but if I dig through those bitmaps, through those sets of 64×64 puzzles, I can, for example, find information like here. You can see the date: 4/17/2018. And the time: 8:52 p.m.
And you probably realized easily it is Hyper-V management, so it is not the proof itself, but the same time, it provides very valuable information: where to dig next? What happened when someone connected to the RDP server?
If I put my security and administrator’s hat back on, I have to ask myself what to do, to not to have this data stored? Should I clean it up after every single RDP connection usage? Not really. If you display RDP connection help, you can easily find that within the parameters you have /public parameter. /public, which is not explained very deeply here, runs a remote desktop in public mode. It actually means that cache is not being stored in the folder where it’s stored usually, so you are not leaving any trace.
But if you want to perform any investigation of your files or some files you have to analyze for some other reasons, feel free to play with PowerShell, feel free to modify it. You can also use another CQURE tool we have prepared for you. You can share your comments about how you can improve the file for converting cache to bitmaps in comments for this blog post or the video. Thank you, and have fun with the encryption of your cache.
- author Grzegorz Tworek