Recall Timeline: An Open-Source Forensic Timeline Reconstruction Tool for Windows Recall EXIF Artifacts

Muhammad Shoaib Ishaq Khan; Ali Sufyan; Ahmad Hassan; Zoha Nazar

doi:10.62019/rpe02p53

Authors

Muhammad Shoaib Ishaq Khan Bahawalpur Department of Information and Communication Engineering Bahawalpur, Pakistan.
Ali Sufyan Bahawalpur Department of Information and Communication Engineering Bahawalpur, Pakistan.
Ahmad Hassan Bahawalpur Department of Information and Communication Engineering Bahawalpur, Pakistan. ahmadhassan73799@gmail.com
Zoha Nazar Bahawalpur Department of Information and Communication Engineering Bahawalpur, Pakistan.

DOI:

https://doi.org/10.62019/rpe02p53

Keywords:

Windows Recall, Digital Forensics, EXIF MakerNote, Timeline Analysis, Open-Source Forensics, Insider Threat Detection.

Abstract

The artificial intelligence (AI)-powered snapshot capability of Copilot+ PCs, known as Windows Recall, is a major new source of forensic artifacts. Snapshots are stored as JPEGs with detailed EXIF MakerNote metadata at tag 0x927C and the ukg.db, a SQLite database that records the window title, file path, URLs, and timestamp. Despite its potential importance in forensic investigations such as insider threat or data exfiltration attacks, no open-source tools currently exist to automatically capture, reconstruct timelines, score anomalies, or report on Windows Recall artifacts. This paper introduces RecallTimeline, an open-source Python tool for forensic recovery of Windows Recall artifacts. RecallTimeline combines three artifact sources: the ukg.db, ImageStore JPEG directory, and flat-folder snapshot images using a novel four-strategy EXIF MakerNote decoder to decode structured metadata in disparate encoding schemes. An automated anomaly detection engine uses 29 keyword-based rules to detect confidential file access, cloud uploads, Living-off-the-Land Binary (LOLBin) launches, and burst patterns. Testing on Case_E001, a corporate insider threat case, yielded the decoding of 65 events across 37 days, detection of 34 anomalies (52.3%), and verification of 25 events (38.5%) using independent Autopsy filesystem artifacts. Analysis took less than five seconds, approximately 180 times faster than manual Exif Tool based processing. To the best of our knowledge, RecallTimeline is the first open-source DFIR tool for Windows Recall forensics and is a necessary addition to the DFIR arsenal in 2025–2026 as Recall interest expands into enterprises through Microsoft Intune deployment policies. The remainder of this paper is organized as follows.