"bcache*.bmc" and "cache????.bin" files under the "Terminal Server Client\Cache" directory.

Windows XP / Windows Server 2003:
<SYSTEMDRIVE>:\Documents and Settings\<USERNAME>\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\*

Windows 7 and later:
<SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Terminal Server Client\Cache\*

Overview

The RDP Bitmap Cache contains partial image captures, in the bitmap format, of the remote host screen from past Remote Desktop sessions. This feature is implemented to reduce the amount of data sent by the server to save bandwidth usage and improve user experience in case of a slow network connection.

Bitmap caching can be deactivated client-side in mstsc.exe Remote Desktop client by deactivation the “Persistent bitmap caching” option.

Information of interest

The RDP Bitmap Cache may sometimes be used to retrieve and identify what was displayed in past Remote Desktop sessions of the user. The image captures are stored as small bitmap images, with a width of 64 pixels and a height of up to 64 pixels.

Thousands of tiles may be available for a given user RDP Bitmap Cache folder.

Tool(s)

RDP bitmap cache extraction

The bmc-tools Python script can be used to process bcache*.bmc and cache????.bin files to extract the bitmap images. A bitmap aggregating all the extracted tiles can be generated by bmc-tools. However, as of 2024-01-19, the script loops endlessly if corrupted tiles are found during the aggregation process.

# -b option: generates a collage bitmap aggregating all the tiles.

bmc-tools.py -s <SOURCE_FOLDER> -d <DESTINATION_FOLDER> -b

A compiled version of the bmc-tools Python script (compiled with PyInstaller) bmc-tools-compiled may also be used. The Execute-BmcTools.ps1 PowerShell script (KAPE module PowerShell_Execute-BmcTools) leverage the compiled version to recursively process the specified input folder to execute bmc-tools.exe over each Bitmap Cache subfolder(s) found.

Screenshots and screen extracts reconstruction

RdpCacheStitcher provides a graphical interface to more easily assemble or “stich” together RDP Bitmap Cache titles, either manually or through an automatic feature (that usually yields mixed results).

The titles, as extracted by bmc-tools for instance, can be loaded by RdpCacheStitcher for analysis and to recompose screen extracts from the multiple titles available.

References

Tags: windows_lateral_movement windows_lateral_movement_src windows_remote_desktop windows_remote_desktop_src windows_misc

View on GitHub