Yes, but if an attacker moves laterally *within* your environment, the system from which the RDP connection was initiated would have the cache. This has proved useful for me on many occasions.
@@learnwithrahulmishra If you delete the data on the hard drive after you pull it out, yes. Otherwise the data will remain intact on the drive. I'm still not sure I understand what you are asking.
Looking at the code, it appears as if the cache you are attempting to analyze is corrupt, or otherwise unable to be parsed by the utility (possibly of unexpected size). Can you try RDP cache from an alternate machine and see if you receive the same results?
13Cubed the cache than i should analyse become from forensic challenge of root-me and i dont think it's corrupted. But i can on the wrong way you know which metod/tools i can used for detect corruption ? And i dont have another bmc file for test, i try found this later (it's 1am for me ^^ )
Interesting. I would suggest another tool, but there really isn't one to my knowledge (besides EnScripts). I haven't had any issues with the tool to this point, so unfortunately I'm afraid I can't be of much help.
Thanks for these series, they are excellent.
Great video, it really helped me a lot
Thank you for the video
Great video, Helped me a ton! Keep it up !
The issue here is that if an attacker uses an RDP connection to my host, I can't view this data because it's only available on their machine.
Yes, but if an attacker moves laterally *within* your environment, the system from which the RDP connection was initiated would have the cache. This has proved useful for me on many occasions.
Thank you sir
Very informative Sir
Thanks For The Video...........
Can we find this cache files after imaging the system?
Not sure I understand your question?
@@13Cubed will this cache get erased after removing hdd?
@@learnwithrahulmishra If you delete the data on the hard drive after you pull it out, yes. Otherwise the data will remain intact on the drive. I'm still not sure I understand what you are asking.
Hi, when execute the bmc script i've this error "unexpected bpp(0)..", you know what happening please ?
Looking at the code, it appears as if the cache you are attempting to analyze is corrupt, or otherwise unable to be parsed by the utility (possibly of unexpected size). Can you try RDP cache from an alternate machine and see if you receive the same results?
13Cubed the cache than i should analyse become from forensic challenge of root-me and i dont think it's corrupted. But i can on the wrong way you know which metod/tools i can used for detect corruption ? And i dont have another bmc file for test, i try found this later (it's 1am for me ^^ )
And yes i've already check integrity and it's ok, my bmc file are 9mo. Excuse me i reply with wrong account.
Interesting. I would suggest another tool, but there really isn't one to my knowledge (besides EnScripts). I haven't had any issues with the tool to this point, so unfortunately I'm afraid I can't be of much help.
13Cubed no problem thank you for your answer, anyway your vidéo are really cool Good job.