Microsoft Recall in Digital Forensics

From a digital forensics perspective, Recall is a valuable resource for analyzing user activities on Windows systems. Data relevant to forensic investigations can be found in the SQLite database ukg.db, in the registry hive where the Recall settings are stored, and in the ImageStore folder, which contains the snapshots created by Recall.

In the registry hive, the value CaptureExclusion is of particular interest. This is where all exclusions—meaning websites and applications that users do not want to be recorded—are stored in Base64 encoding. However, the most important data for forensic analysis is located in the database. 

This database contains a variety of tables that allow for the reconstruction of a comprehensive usage history. The structure of the database is illustrated in Figure 1 (ukg.db).

                                             Figure 1 ukg.db (Click to enlarge)

At first glance, the WindowCapture table stands out as the central element of the database. This table records entries for various events related to application windows and user interactions. The following events are particularly relevant:

  • WindowCreatedEvent: An application window has been opened.
  • WindowChangedEvent: Changes have been made to an application window.
  • WindowCaptureEvent: A snapshot has been created, with reference to the snapshot.
  • WindowDestroyedEvent: An application window has been closed.

The entries in this table are always accompanied by timestamps and the title of the window (except in the case of WindowDestroyedEvent). Via the WindowId field, all entries related to a specific application window can be retrieved, allowing for a precise understanding of what occurred during the usage period of the application window. By linking this information with other tables, the data from the WindowCapture table can be further enriched to create a comprehensive picture of user activities.

To illustrate this, we have created a simple example, shown in Figure 2 (sample data), which displays a portion of the data stored by Recall in the database. This data accurately reflects the actions performed on the computer: the File Explorer was opened, a folder was navigated to, and a text file was opened and edited. Before the recording, an exclusion for Notepad was established to demonstrate that Recall still writes data to the database despite the exception rule.

Figure 2 Example data (Click to enlarge)

In addition to the tables mentioned before, there is also the AppDwellTime table. This table stores the usage times of applications and, when combined with the App table, can provide a good overview of frequently used applications. However, it is challenging to determine when entries in the AppDwellTime table are created; furthermore, these can only be vaguely associated with entries in the WindowCapture table.

In the previous article about Recall, Optical Character Recognition (OCR) was already mentioned. There is also a table in the database for the resulting data, namely WindowCaptureTextIndex_content. This table stores the captured text, and the entries can be uniquely associated with the WindowCapture entries via the WindowCaptureId.

Some of the tables and fields remained empty during our tests. This may change once Recall is released in its final version. We will closely monitor developments and share our findings in future reports.