Investigating Remote Desktop Connection MRU

31/12/2021 Friday

The Microsoft Remote Desktop Connection (RDC) allows a user to connect and gain access to other Windows systems over a network. It is a built-in application that implements Remote Desktop Protocol (RDP) through Terminal service or Remote Desktop Service to access and control all apps, files, and network resources on a remote system.

Digital Forensics Value of RDC MRU Artifact

RDC is commonly used by system administrators to perform administrative tasks such as configuring computers and solving computer and network issues. However, it can also be used by threat actors to perform malicious activities on remote Windows systems. Thus, Remote Desktop Connection MRU artifact can be useful in determining the systems an attacker has accessed.

Location and Structure of RDC MRU Artifacts

Information about the systems that are accessed via the Remote Desktop Connection are stored at the following location:

The values beneath this key start with “MRU” followed by a number. The numbers indicate the order in which these systems had been accessed. Every new connection is given the value of “MRU0” and sequentially all the other values will increase in number. The data associated with MRU value can contain the name or the IP address of the system the user had accessed.

Analyzing RDC MRU Artifacts with ArtiFast Windows

This section discusses how to use ArtiFast Windows to analyze Remote Desktop Connection MRU artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact. After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select Remote Desktop Connection MRU artifact:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Remote Desktop Connection MRU artifact in ArtiFast Windows.

Remote Desktop Connection MRU Artifact

