Windows.System.Recall.WindowCaptureEvent :: Velociraptor

Windows.System.Recall.WindowCaptureEvent

This artefact will read and correlate several tables to do with Microsoft Recall.

The main database is held here: C:\Users\*\AppData\Local\CoreAIPlatform.00\UKP{DA73A0DB-DDF4-4A81-9506-CCB5DE8B0F14}\ukg.db

With the images stored: C:\Users\\AppData\Local\CoreAIPlatform.00\UKP{DA73A0DB-DDF4-4A81-9506-CCB5DE8B0F14}\ImageStore\

To view the snapshot images easily from the notebook output, right click and open image in a new tab.

NOTE: There are many other very useful events in the database, this arefact just looks at the Capture Creation events.


name: Windows.System.Recall.WindowCaptureEvent
author: |
  Zach Stanford @svch0st
description: |
   This artefact will read and correlate several tables to do with Microsoft Recall.
   
   The main database is held here:
      C:\Users\\*\AppData\Local\CoreAIPlatform.00\UKP\{DA73A0DB-DDF4-4A81-9506-CCB5DE8B0F14}\ukg.db
        
   With the images stored:
      C:\Users\\*\AppData\Local\CoreAIPlatform.00\UKP\{DA73A0DB-DDF4-4A81-9506-CCB5DE8B0F14}\ImageStore\\*
   
   To view the snapshot images easily from the notebook output, right click and open image in a new tab. 

   
   NOTE: There are many other very useful events in the database, this arefact just looks at the Capture Creation events. 
   
parameters:
  - name: ukgPath
    default: /AppData/Local/CoreAIPlatform.00/UKP/*/ukg.db
  - name: SQLiteQuery
    default: |
        SELECT WindowCapture.TimeStamp as TimeStamp, WindowCapture.Name as EventName, WindowCapture.WindowTitle as WindowTitle, WindowCapture.WindowId as WindowId, App.Path as Process, WindowCaptureTextIndex_content.c2 as OcrText, ImageToken FROM WindowCaptureTextIndex_content INNER JOIN WindowCapture ON WindowCapture.Id == WindowCaptureTextIndex_content.c0 INNER JOIN WindowCaptureAppRelation ON WindowCaptureAppRelation.WindowCaptureId == WindowCaptureTextIndex_content.c0 INNER JOIN App ON App.Id == WindowCaptureAppRelation.AppId WHERE WindowCapture.Name == "WindowCaptureEvent" AND OcrText IS NOT NULL

  - name: userRegex
    default: .
    type: regex

precondition: SELECT OS From info() where OS = 'windows'

sources:
  - query: |
        LET db_files = SELECT * from foreach(
          row={
             SELECT Uid, Name AS User, Directory+ukgPath as globPath,
                    expand(path=Directory) AS HomeDirectory
             FROM Artifact.Windows.Sys.Users()
             WHERE Name =~ userRegex
          },
          query={
             SELECT User, OSPath, Mtime, HomeDirectory
             FROM glob(globs=globPath)
          })

        SELECT timestamp(epoch=TimeStamp) as Timestamp,
               EventName,
               WindowTitle,
               WindowId,
               Process,
               OcrText,
               upload(file=regex_replace(source=OSPath,re="ukg\.db",replace="ImageStore\\"+ImageToken)) AS Capture
        FROM foreach(row=db_files,
          query={
            SELECT *,OSPath
            FROM sqlite(
              file=OSPath,
              query=SQLiteQuery)
          })

column_types:
- name: Capture
  type: preview_upload