Jun 05, 2024 16:00:00

'TotalRecall' extracts everything from the recorded data of the 'Recall' function that saves everything in Windows 11

Microsoft has announced a new feature called 'Recall' for its AI-specialized Windows PC '

Copilot+ PC ' that can record and search all of your PC activity and viewing history. Alex Hagener, a security researcher and white hat hacker, has released a demo tool called ' TotalRecall ' that automatically extracts and displays all the information that 'Recall' records on a laptop.

GitHub - xaitax/TotalRecall: This tool extracts and displays data from the Recall feature in Windows 11, providing an easy way to access information about your PC's activity snapshots.
https://github.com/xaitax/TotalRecall

You can understand what Recall is by reading the following article.

Microsoft announces new AI feature 'Recall' for Windows 11, a powerful AI search function that records everything you see and do on your PC and allows you to search later - GIGAZINE

Windows 11 Recall stores everything locally in an unencrypted SQLite database, with screenshots stored on your PC in 'C:\Users\$USER\AppData\Local\CoreAIPlatform.00\UKP\{GUID}' and all images stored in a subfolder called '.\ImageStore\'.

TotalRecall is a tool that runs on the Copilot+ PC, which runs on an Arm processor. It copies the database and screenshots, analyzes the database, and then searches for data by date or string. The search uses OCR functionality, so it can search even if the string is contained in the image.

TotalRecall also generates a summary of the extracted data, including the number of windows and images captured, and creates a detailed report in a text file listing all captured data and search results.

According to Hagener, the data processed by Recall is encrypted, but when you log in to your PC and run the Recall app, it is automatically decrypted. Therefore, Hagener points out that if

a Trojan that automatically steals usernames and passwords is modified to support Recall, it can easily be accessed.

While Microsoft said that 'only the affected user can access the Recall data,' Hagener said he could demonstrate that other user accounts on the same device had access to the database. Hagener also claims that he built a website that automates the data extraction and uploads the database online for instant search, but said he would not provide details until he notified Microsoft.

Hagener criticized Microsoft's misleading claims that Recall is highly secure, and warned that if Copilot+ PC is deployed for corporate use, Recall, which is enabled by default, should be turned off to prevent data leakage.

'I believe Microsoft should recall Recall and redesign it to work as intended, and then offer it back at a later date,' Hagener said. 'They should also reassess the internal decision-making that led to this. This should never have happened.'

It has been suggested that the name 'TotalRecall' is a reference to the film ' Total Recall, ' which is based on the science fiction short story ' We Can Remember It for You.'