This artefact will read and correlate several tables to do with Microsoft Recall.
The main database is held here: C:\Users\*\AppData\Local\CoreAIPlatform.00\UKP{DA73A0DB-DDF4-4A81-9506-CCB5DE8B0F14}\ukg.db
This artefact will join multiple tables together to enrich the Window Capture events of recall.
name: Windows.System.Recall.AllWindowEvents
author: |
Zach Stanford @svch0st
description: |
This artefact will read and correlate several tables to do with Microsoft Recall.
The main database is held here:
C:\Users\\*\AppData\Local\CoreAIPlatform.00\UKP\{DA73A0DB-DDF4-4A81-9506-CCB5DE8B0F14}\ukg.db
This artefact will join multiple tables together to enrich the Window Capture events of recall.
parameters:
- name: ukgPath
default: /AppData/Local/CoreAIPlatform.00/UKP/*/ukg.db
- name: SQLiteQuery
default: |
SELECT WindowCapture.TimeStamp, WindowCapture.Name as EventName, WindowCapture.WindowTitle as WindowTitle, App.Name as AppName, App.Path as AppProcess FROM WindowCapture LEFT JOIN (SELECT WindowId as wid, AppId FROM WindowCapture LEFT JOIN WindowCaptureAppRelation ON Id=WindowCaptureId WHERE WindowId is not NULL and AppId is not NULL GROUP BY WindowId, AppId ORDER BY WindowId) WindowApp ON WindowCapture.WindowId=WindowApp.wid LEFT JOIN App ON App.Id=WindowApp.AppId ORDER BY TimeStamp
- name: userRegex
default: .
type: regex
precondition: SELECT OS From info() where OS = 'windows'
sources:
- query: |
LET db_files = SELECT * from foreach(
row={
SELECT Uid, Name AS User, Directory+ukgPath as globPath,
expand(path=Directory) AS HomeDirectory
FROM Artifact.Windows.Sys.Users()
WHERE Name =~ userRegex
},
query={
SELECT User, OSPath, Mtime, HomeDirectory
FROM glob(globs=globPath)
})
SELECT timestamp(epoch=TimeStamp) as Timestamp,
EventName,
WindowTitle,
AppName,
AppProcess
FROM foreach(row=db_files,
query={
SELECT *,OSPath
FROM sqlite(
file=OSPath,
query=SQLiteQuery)
})