Putting Together the RDPiece

Brian Moran
BriMor Labs

Ransomware investigations are becoming increasingly prevalent, and the questions an analyst are faced with are similar in almost every investigation:

How did the attacker get in?
How long did the attacker have access to system(s)
What files/folders did the attackers access?
Was there any data exfiltration?

A majority of ransomware & attackers now perform “cleanup” after running, and delete and overwrite important data such as event logs, recent user activity, PowerShell commands, etc. This talk delves into a quite often overlooked artifact called the RDP Bitmap Cache, which may contain the answers that are needed to make a determination one way or another on ransomware related questions. It is a very interesting, and very underutilized artifact, that allows an analyst to quite literally piece together “well, what had happened was…”

About Brian Moran

Brian is a digital forensic analyst currently residing in the Baltimore, Maryland area. He has approximately 19 years of experience in the cyber security field, with 15 of those years focusing on digital forensics/incident response (DFIR), both in the United States Air Force and private sector. His initial exposure to the DFIR field occurred during a deployment to Mosul, Iraq in 2004-2005, when he served on a team that provided mobile device analytic information in support of tactical military operations. After his military service ended, he entered the private sector and has worked (globally) on a wide range of cases. His favorite aspects of the DFIR field is that it is always changing and evolving; and every case has unique problems, questions, and solutions.