# RDP Cache Files

## Overview

**Evidence:** RDP Cache\
**Description:** Collect RDP Cache Files\
**Category:** System\
**Platform:** windows\
**Short Name:** rdpc\
**Is Parsed:** No\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** Yes

## Background

The Remote Desktop client caches screen bitmaps to improve performance over slow connections. These cached bitmap tiles are stored in the user's profile and can be reconstructed to reveal what was visible on remote desktop sessions.

RDP cache files can provide visual evidence of remote desktop activity and potentially recover sensitive information viewed during RDP sessions.

## Data Collected

This collector gathers structured data about rdp cache.

### RDP Cache Data

| Field        | Description               | Example                                                            |
| ------------ | ------------------------- | ------------------------------------------------------------------ |
| `Name`       | Artifact name             | RDP Cache Files                                                    |
| `Type`       | Folder                    | Folder                                                             |
| `SourcePath` | Original folder path      | C:\Users\user\AppData\Local\Microsoft\Terminal Server Client\Cache |
| `Path`       | Relative path in evidence | Other/Cache                                                        |

## Collection Method

This collector collects RDP cache directories:

* `Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache`

The entire cache directory with all bitmap cache files is collected.

## Forensic Value

RDP cache can reveal visual content from remote desktop sessions. Investigators use this data to recover screen content from RDP sessions, prove remote desktop usage, identify accessed remote resources, and reconstruct user actions on remote systems.