Session Type
Lecture
Name
Putting the RDPieces Back Together Again
Speakers
Brian Moran | BriMor Labs
Description

Ransomware investigations are becoming increasingly prevalent, and the questions an analyst are faced with are similar in almost every investigation: 

- How did the attacker get in? 
- How long did the attacker have access to system(s) 
- What files/folders did the attackers access? 
- Was there any data exfiltration? 

A majority of ransomware now does "cleanup" after running, and deletes and overwrites important data such as event logs, recent user activity, powershell commands, etc. This talk delves into a quite often looked-at artifact called the RDP Bitmap cache, which may contain the answers that are needed to make a determination one way or another on ransomware related questions. It is a very interesting, and very under utilized artifact, that allows an analyst to quite literally piece together "what had happened was..."