Concerned about security? Introducing Windows 11 Recall, the latest in Microsoft’s AI personalised collaborative search innovation. The perfect tool for those who love living on the edge of privacy invasion and a data risk envelope. Thank you, Microsoft, for this monument to misdirected technological ambition that delivers a surrealist timeline of every pizza recipe and cat meme you’ve ever looked at.
I don’t plan to do a tear down of this new functionality, so if you want more delightful details, check out the official Microsoft support page and privacy control here.
What I would like to signpost with a few thoughts, is the impact this is likely to have on Cyber Incident Response Teams (CIRT) and forensics.
Microsoft has truly outdone itself in turning data forensics into a dystopian game of hide-and-seek. Windows 11 Recall will be ensuring that CIRT (Cyber Incident Response Team) forensic teams are never bored. With volumes of irrelevant data to sift through and crucial evidence perpetually just out of reach if not obfuscated, it’s the ultimate tool for those who enjoy a challenge.
Recall’s pièce de résistance is its storage management. By hoarding up to 150GB (by default) of desktop snapshots on your device, it ensures local PC storage is constantly brimming with potential forensic red herrings. Every snapshot is an adventure, promising hours of detective work to confirm it’s just another screenshot of your desktop wallpaper.
Time will tell but on initial inspection, Recall risks make incident response impact analysis more challenging than it already is. Key to a Cyber forensic process is establishing a timeline of data stewardship to identify what information may have been available to an attacker based on the level of access they obtained. It’s not trivial work, but this is bread and butter for forensic teams. With Recalls AI indirection it makes it near impossible to identify and validate a data compromise blast radius.
Then of course there is the spectre of e-discovery proceedings. Where legal counsel will request the recovery of data and will now be able to demand Recall snapshots as part of any proceedings. The risk of unintended consequences from innocent end user browsing and personal use on corporate environments is daunting.
And let’s not forget the security paradox; Recall keeps everything local and encrypted (beware the thin veil of security this currently actually means in practice), ensuring that if your device is compromised, all the sensitive snapshots are right there for the taking. Recall has the prospect of proving to be a worrying force multiplier in any context where a keylogger would be useful to a malicious actor, providing native retroactive activity logging. Because why should hackers have to work for their data?
For now, regard this functionality as very much BETA until such time as Microsoft corrects some of these glaring security and privacy regressions. As of the time of writing, a saving grace to get full value from Windows 11 Recall functionality and by default requires an enhanced Copilot+ PC. In summary, apart from a significant memory and CPU demand, this requires a Neural Processing Units (NPU). This means it will potentially NOT be available to the majority of user or corporate systems today by default. That having been said it is understood the functional CAN be enabled without an NPU if enabled manually.
Posted on June 1, 2024
0