Remote Desktop Connection is a Windows built-in application. It is used to control remote systems by capturing their I/O devices’ signals and transmits them to the controller device using the Remote Desktop Protocol (RDP). RDP is a secure network communications protocol developed by Microsoft.
All of the incoming/outgoing RDP traffics are stored in event logs’ files, so analyzing it will be allowing the examiners to have a clear picture about the activities performed on a device by any other remote device. Along with the information extracted by the RDC MRU Artifact mentioned in the previous blog, the extracted information from events log artifact is very useful especially because it contains a brief description of each event as well as all of the data associated with that event parsed in a readable way.
Remote Desktop Connection Events Log artifacts are found in the following location:
The related information is stored at the following files:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Windows RDC Events Log artifact in ArtiFast. You can refer to the previous blog for the details related to RDC MRU Artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Remote Desktop Connection Events Log artifacts.
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Window Remote Desktop Connection Events Log artifacts in ArtiFast.
Remote Desktop Connection Event Logs Artifact
For more information or suggestions please contact: firstname.lastname@example.org