RdpCacheStitcher: reconstructing useful images out of RDP cache bitmaps

RdpCacheStitcher

RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps. Using raw RDP cache tile bitmaps extracted by tools like e.g. ANSSI’s BMC-Tools (https://github.com/ANSSI-FR/bmc-tools) as input, it provides a graphical user interface and several placement heuristics for stitching tiles together so that meaningful images or even full screenshots can be reconstructed.

Features

• Show hints where a selected tile might fit best visually
• Provide an ordered list of tiles that could best be placed visually for a selected empty cell
• When hovering over a tile, preview how it might look when placed
• Work with multiple screens per case
• Options to exclude already used, non-square or duplicate tiles
• Crop and export all reconstructed images belonging to a case as PNG
• The sub-window with all available tiles is dockable, i.e. it can be its own window and move to a different display
• Keep individual notes per screen

Download & Use

RdpCacheStitcher is copyright 2020 Bundesamt fuer Sicherheit in der Informationstechnik (BSI)