https://github.com/hazcod/totalrecall
A Go SDK and commandline utility to abuse the latest Windows Copilot+ Recall feature.
https://github.com/hazcod/totalrecall
copilot dfir go recall
Last synced: about 1 year ago
JSON representation
A Go SDK and commandline utility to abuse the latest Windows Copilot+ Recall feature.
- Host: GitHub
- URL: https://github.com/hazcod/totalrecall
- Owner: hazcod
- License: apache-2.0
- Created: 2024-06-05T13:35:17.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2025-03-31T04:48:57.000Z (about 1 year ago)
- Last Synced: 2025-04-15T14:19:20.161Z (about 1 year ago)
- Topics: copilot, dfir, go, recall
- Language: Go
- Homepage:
- Size: 58.6 KB
- Stars: 4
- Watchers: 1
- Forks: 1
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# totalrecall-go
A Go SDK and commandline utility to abuse the latest Windows Copilot+ Recall feature.
This was inspired by [Kevin Beaumonts excellent blog article](https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e).
This will extract any Recall extracts which contains the following information:
- Timestamp of the extract
- Window title
- Window token
- Screenshot contents
- Web traffic information (domain, URL)
This does not need SYSTEM privileges on Windows, as it's just reading data in %APPDATA%.
Current user privileges are sufficient, however the SDK supports other user accounts if you are indeed SYSTEM.
## Usage
Either use the CLI utility:
```shell
./totalrecall -log=info
```
Or use the SDK:
```go
package main
import (
"log"
"os"
recallPkg "github.com/hazcod/totalrecall/pkg/recall"
)
func main() {
recall, err := recallPkg.New(nil) // or set a Logrus.Logger
if err != nil { log.Fatal(err) }
// find any OCRd images
extracts, err := recallPkg.ExtractImagesForCurrentUser()
if err != nil {
log.Printf("could not extract Recall Images: %w", err)
os.Exit(1)
}
for i, extract := range extracts {
log.Printf("%d - %s - %s - %s", i+1, extract.Timestamp, extract.WindowTitle, extract.WindowToken)
}
}
```
## Documentation
See the autogenerated SDK documentation in [docs.md](./docs.md).
## Device setup
First make sure you have a Windows 11 CoPilot+ device on ARM64 or enable it using [Amperage](https://github.com/thebookisclosed/AmperageKit).
Ensure your Windows build is at least 2600+. (e.g. Insider Build) so it has Recall.
For example, I had to switch to the Insiders Dev Channel to make it work on my Windows 11 VM on macOS (Apple Silicon).