RDP Cache Files

Overview

Evidence: RDP Cache Files Description: Collect RDP Cache Files Category: Other Evidence Platform: Windows Short Name: rdpc Is Parsed: No - Raw cache files Sent to Investigation Hub: Yes Collect File(s): No

Background

The Remote Desktop client caches screen bitmaps to improve performance over slow connections. These cached bitmap tiles are stored in the user's profile and can be reconstructed to reveal what was visible on remote desktop sessions.

RDP cache files can provide visual evidence of remote desktop activity and potentially recover sensitive information viewed during RDP sessions.

Data Collected

Field

Description

Example

Name

Artifact name

RDP Cache Files

Type

Folder

SourcePath

Original folder path

C:\Users\user\AppData\Local\Microsoft\Terminal Server Client\Cache

Path

Relative path in evidence

Other/Cache

Collection Method

This collector collects RDP cache directories:

Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache

The entire cache directory with all bitmap cache files is collected.

Usage

RDP cache can reveal visual content from remote desktop sessions. Investigators use this data to recover screen content from RDP sessions, prove remote desktop usage, identify accessed remote resources, and reconstruct user actions on remote systems.

Known Limitations

Bitmap tiles must be reconstructed to view content
Requires specialized tools (BMC-Tools, RdpCacheStitcher)
May not contain complete screens
Cache cleared when RDP client exits or cache fills

Notes

Tools like BMC-Tools or bmc-tools.py can reconstruct images from RDP cache files. The cache can reveal passwords, documents, and other sensitive information viewed over RDP.

PreviousRAM Image NextRecentDocs

Last updated 49 minutes ago

Was this helpful?