A New Tool that Extracts Dara From Windows 11 Recall Feature


Microsoft’s Windows Recall is a new feature for Copilot+ PCs, announced in May 2024. It takes periodic screenshots (every 5 seconds when screen content changes) and stores them locally on the device. 

Users can then search this history using natural language to find past content, including text and images. It utilizes the on-device Neural Processing Unit (NPU) for analysis and avoids uploading data to the cloud, addressing privacy concerns. Copilot+ PCs are ARM-based machines with specific hardware requirements. 

While the official release date is June 18, 2024, tools like AmperageKit allow enthusiasts to explore emulation or cloud-based options to experiment with Recall before its official launch. 

A New Tool that Extracts Dara From Windows 11 Recall Feature
Satya Nadella about Windows Recall

A new tool, TotalRecall, exploits a security vulnerability in Microsoft’s Windows Recall feature to capture screenshots and store them locally in an unencrypted database.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

TotalRecall targets the SQLite database (ukg.db) located in C:Users$USERAppDataLocalCoreAIPlatform.00UKP{GUID}ImageStore , and then parses the database and captures images for interesting artifacts. 

Users are able to refine the results by defining search parameters such as date ranges and specific text strings that were extracted using optical character recognition.  

A New Tool that Extracts Dara From Windows 11 Recall Feature
Help page for TotalRecall

It extracts data from the Windows Recall feature and copies the database and screenshot folders, ensuring the originals are untouched. Then, it parses the database (SQLite format) to find relevant entries based on your criteria, like date or keywords. 

Notably, it can extract text from screenshots using Windows Recall’s OCR. Finally, TotalRecall generates a summary with counts of captured windows and images and creates a detailed report listing all extracted data and search results. 

The TotalRecall.py script successfully extracted data from the Windows Recall feature on a machine running Windows 11, which identified the Recall folder and the user confirmed extraction. 

Within the specified time frame (June 4, 2024), Recall captured 133 windows and 36 images. 

The script searched for “password” within the extracted text data and found 22 instances. A text file located within the extraction folder stores a summary of the extraction process, potentially including details about the found passwords.  

A New Tool that Extracts Dara From Windows 11 Recall Feature
Example Output

According to Xaitax, TotalRecall is a tool designed to analyze the data captured by Windows Recall. It allows users to define a date range to restrict the analysis to a specific timeframe. 

It also enables searching for specific text within the captured data to efficiently identify relevant information. It generates comprehensive reports summarizing the captured windows, screenshots, and search results, storing everything in a designated text file for easy reference.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 



Source link