Resource Center


Putting the RDPieces Back Together Again

Ransomware investigations are becoming increasingly prevalent, and the questions an analyst are faced with are similar in almost every investigation:

  • How did the attacker get in?
  • How long did the attacker have access to system(s)
  • What files/folders did the attackers access?
  • Was there any data exfiltration?

A majority of ransomware now does “cleanup” after running, and deletes and overwrites important data such as event logs, recent user activity, powershell commands, etc. This talk delves into a quite often looked-at artifact called the RDP Bitmap cache, which may contain the answers that are needed to make a determination one way or another on ransomware related questions. It is a very interesting, and very under utilized artifact, that allows an analyst to quite literally piece together “what had happened was...”

View the Webinar

Holo, transparent letter M

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.