# Remote Desktop Protocol (RDP) ## **Scenario** > An interplanetary illegal dealer was using a remote machine to store all his Trade secrets. Intelligence team of the solar system identified that the dealer was from Earth. When investigated, it was found that the dealer was maintaining a clean machine in his home and storing all his trade secrets in a remote machine via RDP. Unfortunately, the remote machine was destroyed. The only source of evidence we have is the forensic disk image of the clean machine. Show your forensic skills. Help the investigators in cracking the trade secrets like the dealer’s crypto wallet address, his customer details etc. Note: This is a work of fiction. Names, characters, places and incidents either are products of the author's imagination or are used fictitiously. ### Questions > Question 1) Submit the USERNAME of the dealer's machine from which the forensic disk image was created (Format: username)*(2 points)* > > *💡* **Answer:** `spiderman` To begin this question, I initiated the machine. Upon logging in, I glanced around the desktop icons looking for what I was going to look at first, since i'm not well versed in digital forensics i'm trying to improvise. I first opened up the Evidence folder and saw there was a text file named `RDPCache.ad1` since this lab is about an actor storing all his trade secrets in a remote machine via RDP, this appeared interesting to me. The text file was created by AccessData FTK imager, AccessData FTK is a computer forensics software, it scans a hard drive looking for various information. An example of what it can locate is deleted emails, it can also scan a disk for text strings to sue them as a password dictionary to crack encryption. From looking at the text file, it seems the source disk for the information captured by the FTK comes from `C:\Users\`**`spiderman`**`\Desktop` This tells me this is the username of the dealer's machine. ![](/files/jXyG3V6cK0bPGDrXAMve) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.cavel-security.com/readme-1/remote-desktop-protocol-rdp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.