RDP Cache Files

Overview

Evidence: RDP Cache Description: Collect RDP Cache Files Category: System Platform: windows Short Name: rdpc Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

The Remote Desktop client caches screen bitmaps to improve performance over slow connections. These cached bitmap tiles are stored in the user's profile and can be reconstructed to reveal what was visible on remote desktop sessions.

RDP cache files can provide visual evidence of remote desktop activity and potentially recover sensitive information viewed during RDP sessions.

Data Collected

This collector gathers structured data about rdp cache.

RDP Cache Data

Field

Description

Example

Name

Artifact name

RDP Cache Files

Type

Folder

SourcePath

Original folder path

C:\Users\user\AppData\Local\Microsoft\Terminal Server Client\Cache

Path

Relative path in evidence

Other/Cache

Collection Method

This collector collects RDP cache directories:

Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache

The entire cache directory with all bitmap cache files is collected.

Forensic Value

RDP cache can reveal visual content from remote desktop sessions. Investigators use this data to recover screen content from RDP sessions, prove remote desktop usage, identify accessed remote resources, and reconstruct user actions on remote systems.

PreviousRAM Image NextRealVNC Logs

Last updated 3 days ago

Was this helpful?