Hacker - How to view RDP activities done on any Server/client




Remote Desktop Client has excellent functionality to improve performances: when Cache option is enabled program saves on your computer screenshots about your RDP activities. 

The problem is that cache is not automatically deleted at the end of the session.

To view these images you can utilize BMC Viewer.

https://turbolab.it/scarica/9

You can find RDP images on following path:

C:\Users\\AppData\Local\Microsoft\Terminal Server Client\Cache

if images does not see clearly, you have to ensure that the selected value in the drop down menu BPP is equal to the number of colors used originally for the connection. Generally they are 32 but you just do some test (by pressing the Load at every change) to guess the correct one.

These cache files are complete and do not depend on the operating system: consequently, professionals investigation looking for evidences can copy them and analyze  on any computer.

To avoid any privacy problem there are 2 options:
  1. The safest is to disable the persistent bitmap cache before logging in Remote Desktop from a second computer that could then be analyzed. By default is enabled, sigh... :-( 
  2. Delete cache files C:\Users\\AppData\Local\Microsoft\Terminal Server Client\Cache and utilize ccleaner Free space Wipe feature to overwrite free space n times to avoid any recovery.