The remote desktop puzzle. DFIR techniques for dealing with RDP Bitmap Cache

This report explains how the RDP bitmap cache can be used in DFIR to recover evidence of user activity during remote desktop sessions when logs are missing, detailing cache locations, extraction, and reconstruction with BMC-Tools and RDPCacheStitcher, along with the heuristics that aid tile placement. A case study shows recovery of reconnaissance, credential exposure, and data exfiltration activity despite anti-forensic log wiping, and it highlights recent reporting that attackers can reconstruct RDP session frames to harvest screen-based credentials.