Putting Together the RDPiece

Explore the intricacies of ransomware investigations and the often-overlooked RDP Bitmap Cache artifact in this 35-minute conference talk from OSDFCon 2020. Learn how to piece together crucial information about attacker activities, even after cleanup attempts, using the RDPiece tool. Gain insights into extracting and analyzing RDP Bitmap Cache data, understanding its significance in digital forensics, and leveraging PowerShell scripts for efficient investigation. Discover how this underutilized artifact can provide answers to key questions about system access, data exfiltration, and attacker behavior. Benefit from Brian Moran's extensive experience in digital forensics and incident response as he shares his expertise on this evolving field.

Introduction
Title
Topics
Who am I
D for Fit
What is RDP
Why is RDP important
How I got interested in RDP
What is the already pippin bad cache
What is the RDPiece
Location of the files
Cache
Resources
OSDFCon
Extract RDPiece Data
Powershell
Folder Structure
Reorganizing
Math
Starting from scratch
Image Magic
Putting Pieces Together
Generating Data
Script Overview
Test Results
Saving Images
Output
Its not perfect
Open Source
Download Script
Heather
Questions