top of page
Writer's pictureLars Daniel

Microsoft Copilot PCs and the Recall Function:

Updated: Jun 27

Update: June 2024


At the time of this writing, Microsoft delayed the rollout of the CoPilotPC recall feature due to significant security concerns. The CoPilotPC feature, intended to allow users to recall and delete files and data from their local devices remotely, raised several security issues.


The primary concern was the potential misuse of this feature by malicious actors. If exploited, unauthorized users could remotely access and delete critical data, leading to data breaches, loss of sensitive information, and other cyber threats.


Read more about this development on the Winaero blog here.


Despite these security concerns and the delay of the CoPilotPC recall feature, the ability of digital forensics examiners to retrieve data from a local device will likely remain unaffected. When data is stored locally on a computer, it typically leaves traces even after attempts to delete it. Forensic examiners utilize specialized tools and techniques to recover deleted files, analyze system logs, and reconstruct data.


What is Recall?


Imagine having a personal assistant who not only helps you with your daily tasks but also remembers everything you’ve done, ready to retrieve it whenever you need. This is the essence of Microsoft Copilot, an AI-powered feature integrated into Windows PCs.


The Recall function takes this a step further by allowing users to summon past actions, files, or pieces of information with simple commands.


For instance, if you worked on a presentation last week and can't remember where you saved it, you can ask Copilot to recall that document. It’s like having a digital librarian who knows exactly where everything is and can bring it to you on demand.


This feature is designed to enhance productivity by reducing the time spent searching for files or retracing steps.


To understand how the Recall function works, think of it as a combination of a sophisticated search engine, a detailed diary, and a continuous camera.


The Copilot system continuously logs your activities, including file access, document edits, emails sent, and web browsing history.


This log is like a detailed timeline of your digital life. Additionally, the Recall function periodically takes snapshots of your screen.


These snapshots can include what documents you were working on, what websites you visited, and any other on-screen activities, capturing visual representations of your activities much like taking photos at regular intervals.


The logged activities and screen snapshots are indexed and stored in a secure, structured format, similar to how a library catalogs books.


When you use the Recall function, the system searches through this indexed data to retrieve the requested information.


It’s like asking a librarian to fetch a specific book based on its title, author, cover, or content summary.


On these CoPilot PCs, the retrieved information, including the relevant screen snapshots, is presented to you through a user-friendly interface, allowing you to quickly access the files or data points you need.


Digital Evidence Implications


The introduction of the Recall function in Microsoft Copilot PCs has significant implications for digital evidence. The detailed logging of user activities and screen snapshots means there will be a wealth of information available on these computers.


The resulting digital evidence includes not only the final versions of documents but also the history of edits, file access times, and even specific user actions.


The ability to recall past actions and visual snapshots will provide additonal context alongside other forensic artifacts for understanding the who, what, when, where, and why of digital evidence.


For example, in a case involving alleged document tampering, the Recall function could reveal the sequence of edits and the timeline of changes, offering insights into the intent and actions of the involved parties.


Case Scenarios


To illustrate the practical applications of the Recall function, consider the following scenarios.


In a corporate litigation case, an attorney might need to prove that a particular document was reviewed by specific employees at certain times.


The Recall function could provide a detailed log of who accessed the document, when it was accessed, and any changes made, including screen snapshots that show the document in use, thereby establishing a clear timeline of events.


In disputes over intellectual property, demonstrating the development process of a contested piece of software or document can be crucial.


The Recall function could reveal the history of edits, contributions, and visual representations of the development stages, helping to establish authorship and ownership.


In cases involving wrongful termination or harassment, the Recall function could be used to track communications and actions leading up to the incident.


This can include emails, document edits, and other user activities, as well as screen snapshots that provide a comprehensive view of the situation.


Conclusion


While the Recall function offers numerous benefits, it also presents challenges that attorneys must navigate.


The sheer volume of logged data and screen snapshots will result in even more digital evidence in cases.


The introduction of the Recall function in Microsoft Copilot PCs marks a significant advancement in digital technology, with far-reaching implications for the legal field.


For attorneys and digital forensic examiners, this feature offers a new source of digital evidence that can provide extensive information about who was behind the keyboard at a particular time.


By understanding how the Recall function works and its potential applications in various legal scenarios, attorneys can better navigate the complexities of modern litigation and provide more effective representation for their clients.


While attorneys do not need to be experts and digital forensics, they do need to know what types of digital evidence is out there.


Having an understanding of the Recall function and the types of forensic artifacts it will create is necessary so that valuable evidence is not overlooked due to a simple lack of understanding of what’s out there.


In my fifteen years as a digital forensics examiner, I’ve had many conversations with attorneys who have been in my CLE classes. An oft repeated line is, “ I wish I had known about this in my last case.”


Attorneys don’t need to be technology experts. They just need to know what digital evidence could be on a Microsoft CoPilot PC, and who to call when it shows up in discovery or investigations.


Make sure you don’t miss a smoking gun. Subscribe today for digital evidence updates and trends that impact your everyday work as an attorney.


Commentaires


bottom of page