Futaba _ Webs πΈπΈππΈπΈ
DANGER! Windows Recall πΈπΈππΈπΈ
Today, we are going to address a popular topic going around in the latest Cyber Security news outlet, the new Windows Recall feature thatβs just released for Windows 11.
π Article π Glossary π Catalog π Home π Search Modeπ Article Glossary
πΈ Synopsis πΈ
Today, we are going to address a popular topic going around in the latest Cyber Security news outlet, the new Windows Recall feature thatβs just released for Windows 11.
πΈ Article Topics πΈ
I'll be discussing the following topics in order: π Premise π What is Windows Recall? π What is a system screenshot? π CAUTION! READ FIRST! π NEGATIVE PENALTY! You can click on any of the topics to simply check that one out if it interests you! NOTE: Articles are read from LEFT to RIGHT via 2 columns! Read the first column all the way down and then move to the next one!
πΈ Key Links πΈ
Here's a quick run down on all the main links that are in the article in case you want to check them out first. π LinkedIn Version π Patreon Version
π DANGER! Windows Recall
Premise πΈπΈππΈπΈ
Itβs no shocker that there are some ahemβ¦ βmajorβ security related concerns that have been circulating about it for the past few weeks since its official announcement and release.
Iβm going to talk a bit about how it works, and of course, like always, Iβll explain the dangers of it. In the more advanced version of the articles, Iβm going to go over how some of the core API functions work, and how we can exploit them. Much like how in the DLL injection article where I mention there will be a followup article later on with live footage to show the exploit, the same will be the case with this article as well. This is to ensure you have the proper knowledge and that it marinates before we dive into the real thing.
Security is something that is HIGHLY neglected during many software development projects. Iβve talked a bit about this before, but if security is not kept in mind, it can lead to some pretty crazy stuff, like for example, OpenAuth and SSO. If you would like to see what Iβm talking about in regards to that, you can check out this article here.
This article is a part of the Danger! Series, which is where I raise more Cyber Security awareness about critical flaws and vulnerabilities that exist within various system infrastructures, including any protocols and data communication methods, and the Dangers of what could happen should they be exploited to the fullest extent. I also go over various mitigation strategies that can be used to prevent them as well. If by chance there is an exploit video for me showing the full potential risk, it will be included in the advance version of this article for PAID patreon members only!
What is Windows Recall? πΈπΈππΈπΈ
Windows recall is a new βsnapshotβ feature for Windows 11, where around every 5 seconds, the state of the system is essentially βscreenshotedβ, recording and saving the main state of the system, so that you can return back to a period in time and pick up where you left off.
The best analogy for this would be like the screenshot method for virtual machines, where you can βscreenshotβ where youβre currently at on the system and resume your progress later on when you need to. Itβs also portable, so if you happen to snapshot the system, you can carry it to another VM of the same type and then pop it there.
Windows Recall is a part of the main Windows Copilot Runtime , which is an AI based API.
It relies on the User Activity API, which is a C# focused API, in order to create screenshots and encapsulate sessions that have to do with the end user data that is on the system: Overall user activity, data, data accounts, as well as any and all tasks that were running on the main system at the time.
What is a system screenshot? πΈπΈππΈπΈ
System screenshots, often performed for virtual machines, is a mechanic that allows you to screenshot the entire state of the local system from all various endpoints: memory, tasks, running browser sessions and any cookie data with it, etc.
Think of it like βquick saveβ when you are playing a video game. Once you reach a certain checkpoint, OR, after a certain period of time, the game will βsaveβ itself, in which, depending on the game, you can go back in time and pick up where you left off.
System snapshots is also a technique that is commonly used for forensics purposes, weather it be maliciously or defensively. It can be used, for example, to retrieve crypto keys that are often stored in memory while during live run time of the system. This can be vital for data recovery purposes in case you lost the keys, OR, in the eyes of an attacker, it can be used to decrypt any and al sensitive data with it to compromise a system infrastructure.
CAUTION! READ FIRST! πΈπΈππΈπΈ
Since Windows Recall is fairly new, these are just theories on how it can be exploited, which is not fully set in stone until people exploit it (which many have done so already).
Feel free to theorize and let me know various other ways this feature can be exploited and drop a comment in the comments section bellow.
NEGATIVE PENALTY! Recall renders data sanitation INEFFECTIVE!? πΈπΈππΈπΈ
Windows Recall renders stuff like data sanitation methods on the system useless.
Wiped a few crpyo keys for proper toss the key method? Recall will help threat actors restore the system so they can retrieve it!
Deleted files and purged them from the system so no one could view them and have a digital certificate verifying the wipe? RECALL WILL HELP THREAT ACTORS RESTORE THE SYSTEM SO THEY CAN RETRIEVE IT!
See where I'M going with this? No matter what you do, threat actors are able to essentially go back in time and revert the process since the main state of the system has been PERFECTLY saved in memory. At this point it's also a forensics tool for hackers in this case for data retrieval.
If you like to see the more advanced version of this article that talks about methods that can be used to mitigate, as well as any videos included, SUBSCRIBE TO MY PATREON CYBER SECURITY TIER!
If you enjoyed this post give it a thumbs up! Iβll be keeping track of whose reacting from now on as there is a βspecialβ reason for it. Just know the more you support my content the more there is in stored!
- The Hacker Who Laughs πΈπΈππΈπΈ
