RDP Cached Bitmap Extractor

363968

OpenText OpenText Community

App Support Tiers

OpenText SUPPORTED

Support via OpenText Software Support, with a ticket filed against the associated product.

PARTNER

OpenText offers a content partnership program for select partners. Support for Partner Content offerings is provided by the partner and not by OpenText of the OpenText community.

OpenText COMMUNITY

OpenText Community Content is provided by OpenText for the benefit of customers, support for it is not available via OpenText Software Support but through specific community content forums.

COMMUNITY

Community Contributed Content is provided by OpenText customers and supported by them.

EARLY ACCESS

Show less ...Show more

The downloads referenced under the "Cybersecurity Early Access" category are made available to subscribers to mitigate time-critical issues but have not undergone formal quality and performance testing associated with official OpenText/Cybersecurity product releases. OpenText has a multi-stage Quality Assurance process. During Stage 1 we conduct a resource analysis, field mapping, ensure content level 1 functionality and analysis in our sandbox environment. Stage 2 is a complete validation including production validation. This package has cleared Stage 1 validation and therefore should be deployed with the appropriate pre-production validation. OpenText strongly recommends that any downloaded content is first checked and tested thoroughly in a non-production environment before committing to production. We welcome feedback and, should any content be shown to be faulty, detrimental or carry an incorrect claim of authorship, we shall endeavor to remove or correct such content as promptly as reasonably possible once notified and validated.

OpenText | OpenText Community

This EnScript parses bitmap data cached by the Microsoft Windows Terminal Services (Remote Desktop Protocol - RDP) client.

3,131 downloads

Product compatibility

EnCase App Central

Description

This script parses RDP cache files selected by the user.

The RDP caching mechanism reduces the amount of data that needs to be sent to an RDP client. It does this by caching those parts of the screen that haven't changed since the display was last refreshed.

The script supports two types of cache file: that having a *.bmc file-extension and that having a name of the form 'Cachennnn.bin' where nnnn is a 4-digit number. Both types of file are to be found in the following folder -

%localappdata%\Microsoft\Terminal Server Client\Cache

Cache-files store raw bitmaps in the form of tiles. The size of each tile can vary, but a common size is 64x64 pixels. The colour-depth of tiles in a *.bmc file is typically 16 or 32-bits per pixel (bpp). Tiles in a Cachennnn.bin file have a colour depth of 32-bpp.

Notwithstanding the fact that cached tiles are quite small, recognizable content will usually be visible including pictures, file and folder names, icons and desktop wallpaper.

The script provides the option of creating a composite bitmap from two or more cached bitmaps having the same width, height and colour-depth, as read in sequence from a given cache file. This may allow the examiner to identify areas of the screen larger than a single tile.

When using this function, it's important to note that cached tiles representing a given screen-area may not be stored together. Even if they are, they're not guaranteed to be written from left to right, or from top to bottom. It is believed that the direction of the mouse-cursor is responsible for this in part at least.

Taking the direction issue into account, the script allows the examiner to control the direction in which cached tiles are written into each bitmap. Up to four options are available depending on the number of rows to be written (there is no point in writing a separate bitmap for each vertical direction if there is only a single row of tiles).

Interpreting RDP cached-bitmap tiles is not an exact science and the examiner should be aware of a high risk of misinterpretation. Taking this into account, he/she is advised to test the operation of the script against data cached during one of his/her own RDP sessions. That way the benefits/limitations of the script will be better understood.

This script was developed for use in EnCase training. For more details, please click the following link:

OpenText EnCase Training

Releases

Release

Size

Date

RDP Cached Bitmap Extractor 3.1.0

Aug 1, 2024

More info Less info

Product compatibility

Release notes

Tested with:
EnCase Forensic 20.02.00.185

Languages

English

Files

Marketplace

Marketplace

RDP Cached Bitmap Extractor

Product compatibility

CATEGORY

Description

Releases

Sign in

Marketplace

RDP Cached Bitmap Extractor

App Support Tiers

Product compatibility

CATEGORY

Description

Releases

Unsubscribe from notifications

Marketplace Terms of Service

Your download has begun