Ransomware investigations are becoming increasingly prevalent, and the questions an analyst are faced with are similar in almost every investigation:
- How did the attacker get in?
- How long did the attacker have access to system(s)
- What files/folders did the attackers access?
- Was there any data exfiltration?
A majority of ransomware now does “cleanup” after running, and deletes and overwrites important data such as event logs, recent user activity, powershell commands, etc. This talk delves into a quite often looked-at artifact called the RDP Bitmap cache, which may contain the answers that are needed to make a determination one way or another on ransomware related questions. It is a very interesting, and very under utilized artifact, that allows an analyst to quite literally piece together “what had happened was…”