RDP Cached Bitmap Extractor
This script parses RDP cache files selected by the user.
The RDP caching mechanism reduces the amount of data that needs to be sent to an RDP client. It does this by caching those parts of the screen that haven't changed since the display was last refreshed.
The script supports two types of cache file: those that have a *.bmc file-extension and those that have a name of the form Cachennnn.bin where nnnn is a 4-digit number. Both types of file are to be found in the following folder -
%localappdata%\Microsoft\Terminal Server Client\Cache
Cache-files store raw bitmaps in the form of tiles. The size of each tile can vary, but a common size is 64 x 64 pixels.
The colour-depth of tiles in a *.bmc file is typically 16 or 32-bits per pixel (bpp). Tiles in a Cachennnn.bin file have a colour depth of 32-bpp.
Notwithstanding the fact that cached tiles are quite small, recognizable content will usually be visible including pictures, file and folder names, icons and desktop wallpaper.
The script provides the option of creating a composite bitmap from two or more cached bitmaps having the same width, height and colour-depth, as read in sequence from a given cache file. This may allow the examiner to identify areas of the screen larger than a single tile.
When using this function, it's important to note that cached tiles representing a given screen-area may not be stored together. Even if they are, they're not guaranteed to be written from left to right, or from top to bottom. It is believed that the direction of the mouse-cursor is responsible for this in part at least.
Taking the direction issue into account, the script allows the examiner to control the direction in which cached tiles are written into each bitmap. Up to four options are available depending on the number of rows to be written (there is no point in writing a separate bitmap for each vertical direction if there is only a single row of tiles).
Interpreting RDP cached-bitmap tiles is not an exact science and the examiner should be aware of a high risk of misinterpretation. Taking this into account, he/she is advised to test the operation of the script against data cached during one of his/her own RDP sessions. That way the benefits/limitations of the script will be better understood.
YOU MAY ALSO LIKE