[Vol-users] RDP activity in memory

I'm analyzing a Vista SP2 system that was compromised via a Remote Desktop login (somehow the culprit had access to correct login credentials). Security.evtx only contains information about this single illegal login (and there is no indications that the eventlog was cleared) The strange thing is that carving though memory for network packets (using CapLoader) I find packets showing RDP traffic to additional IPs, not only the one found in Security.evtx Any help in trying to put some contex around these additional IPs found in memory, using volatility, or traditional disk forensics is highly appreciated! (The machine had only been running for about a week before the intrusion, so anything found in memory should in theory be backed up by information in eventlog) Jarle Thorsen