Blind Forensics with the RDP Bitmap Cache
Introduction
What do you do when you’re conducting a forensic investigation and you know the threat actor RDP’d into a system, but you’re essentially blind to most of their activities because you have virtually no logs available to prove what they actually did on the system?
Look no further than the RDP Bitmap Cache!
What is the RDP Bitmap Cache?
The RDP Bitmap Cache is a forensic artifact that’s rarely spoken of, but can yield some quick wins in an investigation.
So, first thing’s first: What is the RDP Bitmap Cache?
According to the official Microsoft documentation: “ Bitmap caches are used by the client and server to store graphic bitmaps. Each bitmap cache holds bitmaps of a specified size in pixels (known as the “tile size”). If a bitmap does not fit into a single cache entry, the server uses a tiling algorithm to divide the bitmap into tiles that will fit into the cache entries so that they can be stored separately into the cache.”
What does this mean in plain English? Basically, images are stored locally on the client system to speed up sessions and reduce latency by preventing the same images from being loaded more than once. This is a legacy function from back in the days when internet was extremely slow (think dial up) and RDP sessions were sluggish at best.
The one caveat is that these images are only stored on the client and not on the server facilitating the connection, so if a threat actor is using their own system to RDP to a host then these files won’t be available for analysis. However, if they happen to use RDP on a system within the victim’s network to laterally move… then that’s where the RDP Bitmap Cache comes into play.
Where to find the cache and parsing it
Starting from Windows 7 and up you’ll find the RDP Bitmap Cache in the following location:
C:\Users\<USER>\AppData\Local\Microsoft\Terminal Server Client\Cache\Under this folder you’ll see potentially a few different files. The first will be a file named “bcache.bmc” and the others will be “Cachexxxx.bin” with the X’s replaced by numbers — i.e. “Cache0000.bin”, “Cache0001.bin”, etc.
The “bcache” files will have numbers appended to the end — either a 2, 22 or 24 which represent the quality of the images. Just know that the higher the number appended to the bcache, the higher the quality of the bitmap images generated.
Meanwhile, the “Cache” files will be generated with each session on the system. So, if you’re looking at a busy system that has a lot of RDP sessions under a user then you’ll need to locate the relevant bitmap caches to parse based on their Windows timestamps.
BMC Tools
Enter BMC Tools which is a wonderful open-source tool that allows you to parse the RDP Bitmap Cache into something usable for your investigation. BMC Tools are written in Python and can easily be run on both Linux or Windows via the Command line like so:
./bmc-tools.py -s cache0000 -d cache0000_parsed -bI like to include the -b option because it generates a collage which aggregates all of the tiles to give you a quick and easy way to view the entirety of the output. The individual tiles are going to be messy as shown below.
Just looking at this, you can tell that it’s Windows Server 2012 R2 — but it’s not pretty, right? If we look at the collage generated we’ll see parts of it that are almost readable, but still pretty messy like so:
Some things come through pretty nicely, but others are frustratingly fractured. So what can we do about this? Well, I hope you like jigsaw puzzles…
RDPieces
If you’re interested in another command line tool, look no further than RDPieces. This tool is written in Perl and, per the GitHub repo description, “…will parse extracted RDP Bitmap Cache directory(ies) and attempt to rebuild some of the screenshots automatically”.
Example usage:
perl rdpieces.pl -source cache0002/ -output cache0002_rebuilt/The whole idea behind this tool is to try and save you some time to rebuild screenshots to the point of where you can look at it and understand what you’re looking at. For example, if the user ran a command prompt and entered a command, the hope is that you’ll be able to get enough from this to get the gist of the command and understand what they were running on the system.
In practice, I find the results to be kind of hit or miss though.
Your experience is going to vary drastically from one RDP session to the next with this tool, but it does process the images very quickly so it’s worth giving a shot even if you don’t always get good results from it.
But wait, there’s another option…
RDP Cache Stitcher
For those that prefer a UI, really enjoy puzzles, or just want to put a human eye to piecing a cache back together instead of relying on a script to try and do a best-guess job of it… let me introduce you to RDP Cache Stitcher. From its GitHub:
“ RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps. Using raw RDP cache tile bitmaps extracted by tools like e.g. ANSSI’s BMC-Tools (https://github.com/ANSSI-FR/bmc-tools) as input, it provides a graphical user interface and several placement heuristics for stitching tiles together so that meaningful images or even full screenshots can be reconstructed.”
This tool is great because it lets you visualize all of the bitmap images in a separate window (which can be detached and dragged around) and then when you add images to the canvas it’ll automatically suggest similar images to help you complete the picture. So, for example, I have the following:
For the sake of this example, let’s say I’m just trying to validate the version of Windows. I can pretty much piece it together from the bitmaps here, but I want to be 100% sure. So, let’s start dropping images on the canvas…
I’ve placed a few images at this point and you can see on the right side that RDP Cache Stitcher is making recommendations on which image I should use next. There’s an option to hide used tiles, so if you’re trying to rebuild the entire picture it’ll automatically remove used bitmaps from the list of options which is really helpful! But we’re not done yet, so let’s go ahead and finish up…
Bam! There’s our finished image confirming Windows Server 2012 R2. This isn’t the most exciting of examples, but it does show what the tool is capable of.
But wait, you wanted a really exciting example of what you can do with the RDP Bitmap Cache? Well, look no further than this example from a DHS investigation posted by @ItsReallyNick on Twitter:
This was likely hours upon hours of meticulous work by a single person as they took hundreds (or even thousands) of bitmap images and reassembled them to get this final image which was part of this APT investigation conducted by DHS.
Wrapping it all up
Of all of the artifacts that we often use when conducting forensic investigations, the RDP Bitmap Cache is one of the more traditional detective-like artifacts. It requires time, effort, and a whole lot of coffee just to put together a complete picture of a single session. However, when other artifacts are lacking or additional context is needed (perhaps for a legal investigation or proving APT activity) it can be incredibly helpful in building a complete picture of what the threat actor was doing on that system (pun intended).
Kudos to the authors of the open-source tools listed above. None of this would be doable without their efforts. The DFIR community is unique in that it has a ton of individuals that love to give back to the community and release open-source tools for the benefit of others. I love it!
I hope this has been helpful. Keep this technique in your back pocket and I promise you that the day will come when you’ll be working on a case where having knowledge of the RDP Bitmap Cache and how to parse it will save the day.
Thanks for reading and see you next time!
Originally published at https://www.linkedin.com.
