# Dumping data from the Microsoft Recall folder Recently, Microsoft announced their new AI Recall feature that will be enabled on a new hardware generation called Copilot+ PC. I won't bore you with the details as the topic has been vastly covered already in [YouTube videos](https://www.youtube.com/watch?v=oSBDkPxivuA) and other [major information sources](https://www.bbc.com/news/articles/cpwwqp6nx14o). In summary, Recall is a feature that takes "Snapshots", which is a fancy word for "screenshot", of your screen and monitors events like windows being opened, internet searches, dialogue boxes, and much more; all this information is stored in an unencrypted Sqlite3 database in the user's `AppData` directory and it's used by Microsoft's Copilot to aid the user in their experience with things ranging from browsing the internet to opening files. The way the Recall data is stored allows any user with read privileges over those files to extract the contents of the database and the snapshots taken during user activity potentially exposing sensitive information. During my research I came across [this](https://github.com/xaitax/TotalRecall/tree/main) GitHub repository by [xaitax](https://github.com/xaitax) which describes in detail how Recall represents a security nightmare and demonstrates how simple the code to extract data from it would be. The project only includes a Python script so I decided to make a [C++ version](https://github.com/otterpwn/cppRecall) that can be ran on a host even when the Python interpreter is not installed and, most importantly, can be easily ran from a beacon ʕ •ᴥ•ʔ - a pretty funny consideration is that the tool probably won't even need to be obfuscated or packed in any way since it's not performing malicious actions, it's just reading a single unencrypted file. {% embed url="" %}

If you want to test this out yourself, I've left some useful links in the code's comments as well as in the repo; at the time of writing, it seems like the best (and only) way to set up a test environment is to spin up an ARM64 Windows 11 VM on Azure (I registered a new account and got $200 worth of credits to spend in a month so I recommend you do that as well), update the system and install the Windows 11 AI Workloads for ARM64. In case you've never done this before, the following links should be enough to get you up and running * [Post](https://cybercx.com/blog/forensic-applications-of-microsoft-recall/) about forensics made on the MS Recall data and how to set up the environment * [Setup guide](https://www.golinuxcloud.com/create-vm-in-azure-step-by-step/) for Azure VM * Windows 11 AI Workloads download [link](https://archive.org/details/windows-workloads-0.3.252.0-arm-64.7z) * [Amperage Kit](https://github.com/thebookisclosed/AmperageKit/releases/tag/v2024.6.1) to install AI Workloads For now, the code is pretty basic and doesn't support any CLI arguments but I plan to make it more flexible by adding flags to manually specify the username and a range of timestamps to extract data from. Currently, you'll be able to run the PoC just by calling the executable ``` .\cppRecall.exe ``` This will produce an extraction directory of the format `_Recall_Extraction` containing a text file with all the dumped data

and an `ImageStore` folder with all the "snapshots" taken by the feature

The columns extracted by the tool can easily be changed so play around with the database and see what you might be interested in! *** **EDIT**: Right after I posted this Microsoft actually came out with [another statement](https://blogs.windows.com/windowsexperience/2024/06/07/update-on-the-recall-preview-feature-for-copilot-pcs/) updating on the whole Recall situation and addressing the security issues highlighted by the community. In this post MS states that Recall is > Secure by design and secure by default and states that > Copilot+ PCs will launch with “just in time” decryption protected by Windows Hello Enhanced Sign-in Security (ESS), so Recall snapshots will only be decrypted and accessible when the user authenticates adding a layer of protection over the user's data. ʕ •ᴥ•ʔ --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://otter.gitbook.io/red-teaming/articles/dumping-data-from-the-microsoft-recall-folder.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.