RDP Cache
Overview
Section titled “Overview”Evidence: RDP Cache
Description: Collect RDP Cache Files
Category: System
Platform: windows
Short Name: rdpc
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”The Remote Desktop client caches screen bitmaps to improve performance over slow connections. These cached bitmap tiles are stored in the user’s profile and can be reconstructed to reveal what was visible on remote desktop sessions.
RDP cache files can provide visual evidence of remote desktop activity and potentially recover sensitive information viewed during RDP sessions.
Data Collected
Section titled “Data Collected”This collector gathers structured data about rdp cache.
RDP Cache Data
Section titled “RDP Cache Data”| Field | Description | Example |
|---|---|---|
Name | Artifact name | RDP Cache Files |
Type | Folder | Folder |
SourcePath | Original folder path | C:\Users\user\AppData\Local\Microsoft\Terminal Server Client\Cache |
Path | Relative path in evidence | Other/Cache |
Collection Method
Section titled “Collection Method”This collector collects RDP cache directories:
Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache
The entire cache directory with all bitmap cache files is collected.
Forensic Value
Section titled “Forensic Value”RDP cache can reveal visual content from remote desktop sessions. Investigators use this data to recover screen content from RDP sessions, prove remote desktop usage, identify accessed remote resources, and reconstruct user actions on remote systems.