Microsoft Recall: A game changer with high risks

Security concerns delay Microsoft Recall rollout

News By Jamie Smith published 10 October 2024

In June, Microsoft postponed the introduction of its controversial Recall feature following a series of serious security concerns. The AI-powered tool, designed to capture all user activity over the previous six months, was positioned as a solution that helps users track their activities and efficiently find previously visited websites, documents and applications. Microsoft developed Recall to allow users to 'retrace their steps' by capturing screen snapshots every five seconds. The tool saves these images, cataloguing the viewed content using AI, and then offering it back to the user through a search functionality.

For cyber investigators, Recall could be a transformative force in gathering and analyzing evidence, improving both the investigative process and its outcomes. However, noise around cybersecurity concerns is loud – and for good reason. The tool’s ability to capture and duplicate data means that sensitive information could be exposed and leveraged by threat actors.

Jamie Smith

Global Head of Cyber Security Services, S-RM.

Transforming forensics, though gaps remain

Setting security concerns aside, Recall has the potential to revolutionize forensic investigations in the event of cyber incidents. First, its searchable format can dramatically speed up investigations by removing the arduous and time-consuming task of processing large quantities of evidence.

When digital evidence is lost – be it through browser history clearing or file deletion – Recall’s screen capturing ability would step in to ensure that it remains accessible. Equipped with Recall, investigators would also be able to visually verify their results, empowering greater confidence in the veracity of forensics findings.

Despite its advantages, Recall has critical blind spots. Most significantly, the absence of an audit log renders the access of Recall data by threat actors and users untraceable. Threat actors can also evade detection by using applications like Edge’s InPrivate mode, which Recall can’t track, and by engaging in activities hidden from the screen or by user settings. Looking at Recall as a whole, the advantages speak for themselves, but there’s no suggestion that it is the complete solution for investigators aiming to stop threat actors in their tracks.

Unintentionally handing threat actors the upper hand

Recall inherently risks exposing sensitive information that threat actors could exploit, which in the end was the driving force behind Microsoft’s decision to delay its rollout.

Following news of the release of Microsoft Recall, security researchers developed and released a tool named TotalRecall, which can locate, duplicate, and translate the data gathered by the Recall feature in a plaintext database, which is instantly searchable. Since attackers routinely exploit existing tools and systems to achieve their objectives, it is likely they would add TotalRecall to their arsenal, exploiting its insights where possible.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors