home.social

#coreaiplatform — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #coreaiplatform, aggregated by home.social.

  1. hasamba @[email protected] ·

    🚨 Incident Response
    ===================

    Executive summary:
    Windows 11 (24H2) introduces forensic-relevant changes, most notably the Recall feature which captures frequent screenshots, extracts metadata into Exif tags, and indexes content using DiskANN vector stores. These artifacts alter typical evidence availability and require updated collection and triage methods.

    Technical details:
    • Storage locations: Raw screenshots are stored as JPEG files under %AppData%\Local\CoreAIPlatform.00\UKP\{GUID}\ImageStore\*. Filenames correspond to internal screenshot identifiers described by the feature.
    • Metadata: The Exif tag Exif.Photo.MakerNote (0x927c) holds structured metadata including foreground window bounds, capture timestamp, window title, window identifier, and the full path of the process owning the window. Browser activity may preserve URI and domain data in the same metadata.
    • Indexing: Two DiskANN vector databases are created for search acceleration: SemanticTextStore.sidb and SemanticImageS (semantic image index). These enable semantic queries across captured text and imagery.
    • Configuration: Recall operates per user. A registry key in the user hive at Software\Policies\Microsoft\Windows\WindowsAI\ controls screenshot saving. Additional registry keys were introduced for Recall management in recent builds.
    • Platform requirements and availability: Recall became broadly available on systems with an NPU (Neural Processing Unit), currently compatible only with ARM CPUs. Microsoft disabled Recall by default in enterprise builds.

    Observed caveats and reliability:
    Microsoft implemented filters intended to skip capture of potentially sensitive UI contexts (incognito windows, payment fields, password managers). The article notes that these filters may fail intermittently, so artifacts containing sensitive data may still be present. The feature's controversy led to default disabling in corporate images.

    Implications for incident response and forensic workflows:
    • Evidence sources: Analysts should include the CoreAIPlatform image store and associated DiskANN DBs when assessing user activity on Windows 11 devices where Recall was enabled or potentially toggled on by threat actors.
    • Triage artifacts: Exif.Photo.MakerNote contents provide rich timeline and process linkage information that complement classic artifacts (prefetch, event logs, MRU lists).
    • Collection notes: Because Recall is user-scoped and may be disabled in managed environments, confirmation of registry policy and presence of the ImageStore and DiskANN files is required before assuming availability.

    Detection and recommendations noted in the source:
    The article reports that Recall is disabled in corporate builds by default and can be configured via Group Policy; it also highlights the metadata locations and DB filenames to search for during triage.

    Limitations:
    The findings apply to Windows 11 24H2 at time of writing. Platform-specific availability (NPU/ARM) and Microsoft refinements mean artifacts and behavior may evolve.

    🔹 Windows11 #digitalforensics #Recall #DiskANN #CoreAIPlatform

    🔗 Source: securelist.com/forensic-artifa

    #coreaiplatform #diskann #recall #digitalforensics