In the DFIR world, we often talk so much about typical artifacts and various logs when conducting an investigation. Sure, obviously things such as Prefetch, LNK files, Jumplists, Shellbags, UserAssist, etc. are important, but DFIR is about thinking outside of the box and having that “investigative mindset”, right? With this said, let’s talk about something that you might not be collecting or analyzing when performing host-based analysis. RDP Bitmap Cache!
Although this artifact can be hit or miss and is most definitely not a “silver-bullet”, it is a fantastic and very unique artifact and may provide context, command-lines, tools, etc. that you may have not identified via traditional routes. Let’s think outside the box here (while we’re on that topic). You’re in a situation where a Threat Actor (TA) executed tools, scripts, and ran various commands; however, you’re in a situation where logs are scarce and command-line auditing or EDR/XDR telemetry isn’t available. Do you just give up? As a DFIR analyst, you need to think about other artifacts/areas that you can leverage to gain that visibility. Restoring from backups, volume shadow copies, memory… RDP Bitmap Cache?!
The Rundown:
RDP Bitmap Cache is Windows attempt to speed up your connection by "caching" commonly seen images
Can be found on Windows XP and newer systems, though the location varies:
Windows XP - %CURRENTUSER%\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\
Windows 7+ - %CURRENTUSER%\AppData\Local\Microsoft\Terminal Server Client\Cache\
The default location of the files can be changed by modifying the "HKCU\Software\Microsoft\Terminal Server Client" key
Can be anywhere from 10mb to 100mb, depending on the OS
The directories will contain BMC (Bitmap Cache) files and Bin (binary) files
The files will need to be parsed and extracted using various tools
Common tools such as BMC-Tools, RDP Cache Stitcher, and RDPieces (amongst others) can be leveraged
Cache files will be appended with either a 2, 22, or 24 in the filename, which represents the quality of the image. For example "bcache2.bmc" or "bcache24.bmc"
The great thing about this artifact is the fact that it's not too difficult to understand. The most important thing to note with this is to collect it when possible and understand its limitations. Just like many other artifacts, this should be used together with other artifacts and pivot areas of your incident. With this said, this post will be simple and to the point. Of course, we'll demo and walk through this together!
Okay, obviously there are limitations with RDP Bitmap Cache, as with most artifacts. It may not be useful in every incident; however, it should definitely be something you collect and analyze, even if its just for your own morbid curiosity! You may be surprised what you find by parsing this data! With this said, RDP Bitmap Cache relies on… well… RDP! So, this is under the assumption that the TA executed RDP/Terminal Services and you have identified the source system that is making these connections.
So as mentioned above, the idea of RDP Bitmap Cache is to speed up your RDP connection by "caching" commonly seen images or graphic bitmaps. If you'd like to read a more technical explanation of this and how Microsoft describes this, check out their writeup here: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpegdi/2bf92588-42bd-4527-8b3e-b90c56e292d2
Essentially, images will be stored in this bitmap cache in a specific size in pixels. If the image exceeds the cache entry, based on the maximum file size, then a specific algorithm described as Microsoft as "tiling algorithm" will be leveraged to divide the various bitmap images into tiles. Which we'll see this later. This will allow them to then be stored one by one into the cache. Again, this explanation is described in the Microsoft article linked above. The entire point of this is to optimize the connection for reliability and speed.
If you'd like a deep understanding of the structure of BMC files, check out this great article by French CERT: https://www.cert.ssi.gouv.fr/actualite/CERTFR-2016-ACT-017/. The image below is an excerpt from the above URL describing this structure.
Okay, now that we have a good understanding that RDP bitmap cache is just used to encapsulate images observed during a remote terminal session to optimize the connection, we can talk about how this is used from a forensics perspective. As always, keep in mind that nearly all Windows artifacts aren't specifically designed for forensics, but we can use them as such and to our advantage to tell a story!
So, where are these cache files located? Well, depending on the OS, they can be found in two locations:
Windows XP - %CURRENTUSER%\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\
Windows 7+ - %CURRENTUSER%\AppData\Local\Microsoft\Terminal Server Client\Cache\
Collection is easy, but keep in mind, these files are compressed and contained within binary files. So they cannot be read in a raw format. For example, they can't be "double-clicked" or drag and dropped into MS Paint. So if we navigate to this folder, we'll see various 'BMC' and 'BIN' files. If you don't see this folder, then the system hasn't conducted an RDP session, the folder was deleted, or the default location moved. Again, these should be verified with other artifacts and analysis.
As mentioned, we'll need to utilize some tools to view these files. Don't fret! There's some great open-source tools to assist with this. Some common ones are:
BMC-Tools - https://github.com/ANSSI-FR/bmc-tools
RDP Cache Stitcher - https://github.com/BSI-Bund/RdpCacheStitcher
RDPieces - https://github.com/brimorlabs/rdpieces
... And many others
BMC-Tools
So, we see the aforementioned files, let's collect these and run some analysis! In this example, we'll use BMC-Tools to extract and parse the BMC and BIN files containing the RDP cache. This will likely be the first step you do before running any additional tools, as this will parse the compressed data and make it more readable for other tools. To run this tool, please ensure you have the prerequisites installed, such as Python and Visual C++. To do this, we can run the command:
bmc-tools.py -s <location_of_cache_files> -d <output_directory>
As a note, when I ran this tool, I was getting an error stating it was unable to process the directory. However, it seems that it was still processing the cache files regardless of the error. You can see this by using the "-vv" switch when running the command for the tool. The new command would be:
bmc-tools.py -s <location_of_cache_files> -d <output_directory> -vv
Shown below are the results from BMC-Tools. As you can see, these images are in a "tile" like format using Microsoft's Tile Algorithm (mentioned above). Although you might be able to pick out an interesting image or command-line here, it might be very difficult to use at scale when multiple RDP sessions were used. Keep in mind that my test RDP session was very short and this still generated a large number of cache files. In my test, 6400 cache files were extracted. Nice!
Shown below is a small sample of what the output files look like. As we can see, they are small "tile" like images that were extracted from the BIN and BMC files. These are now within the 'BMP' image type.
If you have a good eye, you may have spotted some alerts for Windows Defender.
RDP Cache Stitcher
Now, lets see if we can pretty this up. Let's try RDP Cache Stitcher.
Once extracted using BMC-Tools, we can use RDP Cache Stitcher as a GUI to drag the images around. Remember in the title, I referenced a puzzle... well.. I wasn't kidding! Let's take those files extracted and place them in RDP Cache Stitcher. To do this, open RDP Cache Stitcher and select "file" and "new case". Choose the directory containing your extracted BMC files, which are now in BMP image types. Shown below are a few examples of some quick stitchings.
Spending more time and analyzing the screenshots will yield more results, but you get the idea. Now think how useful this would be in instances where the TA deleted their tooling, logs, etc. You can get some great stuff here!
RDPieces
If you want to try and automate this and speed is of concern, though the results might not be ideal, you can try RDPieces. This will use Perl to attempt to piece the images together. Again, BMC-Tools will need to be used prior as extraction. To do this, you will need the prerequisites listed on the tools Github. Once everything needed is downloaded, just run the following command:
pl rdpieces.pl -source <location_of_bmp_files> -output <name_of_new_output_folder> As shown below, this will begin processing your BMP images.
Using this tool wasn't groundbreaking, but it is an additional tool to use to help speed up potential "quick-wins". Personally, my results took quite a while to process and the results weren't very helpful. However, I'd recommend running this in the background maybe while you run RDP Cache Stitcher, you might get different results!
One thing to note is that in most cases, the setting to cache bitmaps is enabled by default!
As you can see, this is a pretty neat artifact! If you're working an incident where you have reason to believe that RDP was leveraged (which in my experience, will be nearly every case), then this is a must have artifact. With this, you can begin to place the pieces to your investigative puzzle! This is also a very in-depth and hands-on type artifact that will likely require some form of interaction. With this said, this type of analysis/artifact will likely be preserved for those high fidelity systems, such as the beachhead host or patient zero!