- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Prove whether a Windows computer was accessed remotely, by whom, from what IP address, at what time, and what they saw or did on screen β including through third-party remote-support tools.
Quick Answer. Remote-access forensics on Windows combines the Terminal Services operational logs (TerminalServices-LocalSessionManager, TerminalServices-RemoteConnectionManager, RemoteDesktopServices-RdpCoreTS), Security events 4624 LogonType 10 (RemoteInteractive), 4778/4779 (session reconnect/disconnect), 1149 (successful RDP authentication with source IP), RDP bitmap cache (bcache*.bmc) that reconstructs actual on-screen content, Prefetch and Amcache for the RDP client (mstsc) and remote-support tools (TeamViewer, AnyDesk, ScreenConnect, LogMeIn), and default gateway / firewall logs.
| Event ID | Channel | What it means |
|---|---|---|
| 1149 | TerminalServices-RemoteConnectionManager/Operational | Remote authentication accepted; includes User, Domain, and Source Network Address (IP) |
| 21 | TerminalServices-LocalSessionManager/Operational | Session logon succeeded, with source IP |
| 22 | Same | Shell (explorer.exe) started |
| 24 | Same | Session disconnected (user closed but did not log off) |
| 25 | Same | Session reconnected (typically after a network drop) |
| 23 | Same | Session logoff |
| 4624 (LogonType 10) | Security | RemoteInteractive logon |
| 4778 / 4779 | Security | Session reconnected / disconnected (also fires for Fast User Switching) |
| 4625 | Security | Failed RDP authentication (Sub Status 0xC000006A wrong password, etc.) |
| 131 | RdpCoreTS/Operational | Client connected before authentication (useful for brute-force detection) |
| 140 | RdpCoreTS/Operational | Client failed authentication with source IP |
Windows caches portions of the remote screen at the RDP client for performance. These cache files (bcache22.bmc, bcache24.bmc, cache0000.bin and similar) live at %LOCALAPPDATA%\Microsoft\Terminal Server Client\Cache\ and contain thousands of 64×64 tile fragments of past sessions. Reassembly regenerates recognizable screenshots β messages, file names, spreadsheets β of remote work performed. This is often the single most persuasive artifact in an unauthorized-remote-access case.
Third-party remote tools leave equally strong evidence, both on the target and on the operator side:
%APPDATA%\TeamViewer\Connections_incoming.txt (target) and Connections.txt (operator) log ID, name, start, and end.%APPDATA%\AnyDesk\connection_trace.txt, ad_svc.trace, and ad.trace.ScreenConnect.ClientService in Services, and session logs under %PROGRAMDATA%\ScreenConnect Client (<GUID>)\.%PROGRAMDATA%\LogMeIn\logs\.%LOCALAPPDATA%\Google\Chrome Remote Desktop\logs.The operator machine keeps its own trail: NTUSER.DAT\Software\Microsoft\Terminal Server Client\Default stores MRU0..MRU9 of last connected hostnames; Servers\<host>\UsernameHint records the last user; .rdp files may be saved to Documents; Prefetch and Amcache record mstsc.exe execution; jump lists for mstsc list recently connected hosts.
Elite Digital Forensics is an independent, defense-aligned Windows forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Windows Forensics hub for the full analytical framework we bring to every matter.
Usually yes. The Terminal Services operational logs are separate from the RDP service state, and 4624 LogonType 10 remains in Security.evtx. RDPCache bitmap fragments also survive.
The Windows target sees only the VPN’s private IP. We correlate with VPN concentrator logs, cloud-VPN provider records, and timing against ISP-side records subpoenaed via counsel.
Windows Home cannot host RDP by default but can be the RDP client. When Home shows LogonType 10, it is almost always via Fast User Switching or a third-party server component; we flag and explain.
No β often more. TeamViewer, AnyDesk, and ScreenConnect each maintain their own detailed session logs including counterparty ID, duration, and file-transfer records.
Tell us about the computer, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant