RDP Bitmap Forensics: Detecting Hidden Screens in Real Investigations

RDP sessions leave behind more than logs — they may leave behind screenshots.
In digital forensics, one often overlooked artifact is the RDP bitmap cache. If a threat actor uses Remote Desktop Protocol (RDP) during an intrusion, we can potentially recover pieces of what they saw — from open documents to full-screen applications — using cached image fragments.

In this post, we'll explore:

• What RDP bitmap cache is

• Where it’s stored

• Why it matters in investigations

• How to extract and reconstruct it using real tools

• A working demo with actual cache000.bin

What is RDP Bitmap Cache?

When you use RDP to remotely control a system, your RDP client stores tiny graphical fragments of the session as a performance optimization. These fragments are stored as .bin files — commonly named:

cache000.bin
cache001.bin
...

These files persist on the client machine and contain compressed image tiles of what was displayed during the session. In digital forensics, these can be gold.

Where Are These Files Stored?

If an attacker RDPs into a system, the cache files are stored on the attacker’s system — because they are the client.

However, if the attacker pivots within a network and uses RDP from one victim machine to another, then the intermediate machine (pivot point) will store the cache files — making it available for analysis during an investigation.

Location on disk (Windows):

C:\Users\<username>\AppData\Local\Microsoft\Terminal Server Client\Cache\

Tools for RDP Bitmap Forensics

We’ll demonstrate two open-source tools that let us extract and reconstruct images from the cache:

1. bmc-tools

• Dumps and previews bitmap images

• Allows tile-by-tile inspection

2. RdpCacheStitcher

• Supports stitching tiles into a single image

• GUI support and tile visualization

Real Working Example: Analyzing cache000.bin

Let’s walk through a real-world example.

Step 1: Clone the Tools

We begin by cloning the two open-source tools from GitHub:

git clone https://github.com/ANSSI-FR/bmc-tools.git
git clone https://github.com/BSI-Bund/RdpCacheStitcher.git

Step 2: Obtain a Sample cache000.bin

You can either:

• Use your own cache files from a test RDP session

• Download publicly shared samples from training datasets or malware analysis repositories

For this demo, let’s say we have:

cache000.bin

Step 3: Extract Tiles with bmc-tools

python3 bmc-tools.py -s cache000.bin -d output

This will extract all bitmap tiles into the output/ folder.

Step 4: Reconstruct with RdpCacheStitcher

Now it’s time for the fun part: rebuilding the original screen layout from the extracted bitmap tiles — like assembling a high-stakes jigsaw puzzle from the attacker’s POV.

Launch RdpCacheStitcher:

Here's what to do:

1. Create a New Case

   • Go to File → New Case

   • When prompted, select the folder where your extracted tiles are stored

   • This tells the tool where to find the BMP cache tiles for reconstruction

2. Start Reconstructing

   • The interface will populate with available tile images

   • Drag tiles into the main canvas area

   • Align them manually by matching UI elements like window edges, taskbars, or icons

     

3. Export Your Scene

   • Once a coherent image is rebuilt, go to File → Export screen images

   • Save the final output as an image — evidence ready!

This gives you a full screenshot-style reconstruction you can use as evidence or visual proof

Why This Matters

• You might find screenshots of:

  • Open Notepad or PowerShell windows

  • Sensitive documents

  • File paths and credentials

• These can provide proof of attacker activity even if logs are wiped

• Especially helpful in lateral movement cases where attackers used internal systems as stepping stones

Conclusion

RDP bitmap forensics is a powerful, underused technique in modern DFIR. With tools like bmc-tools and RdpCacheStitcher, analysts can reconstruct attacker views and actions — all from leftover cache tiles.

Next time you're investigating an RDP-heavy compromise, don't forget to check:

%LOCALAPPDATA%\Microsoft\Terminal Server Client\Cache\

There just might be a screenshot waiting to speak.

Resources:

ANSSI-FR/bmc-tools: RDP Bitmap Cache parser

BSI-Bund/RdpCacheStitcher: RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.

https://youtu.be/9P845AMjJF0?si=OKuf839Dq8woOVFq