Capture via Screen Recording

The subject initiates a screen recording session to continuously capture visual activity on their workstation. Unlike isolated screenshots, screen recordings provide a persistent visual record that may include system navigation, data access patterns, command execution, or user interactions with sensitive tools and content.

Screen recordings are commonly used to circumvent restrictions on file downloads, printing, or copy-paste functionality. They allow subjects to preserve dynamic content, such as chat conversations and video meetings, that may not be available later or that are heavily monitored in other forms. The resulting files are often compressed and exported in standard formats (e.g., .mp4, .mov) and may be exfiltrated at a later time.

Subjects may use operating system–native tools (e.g., Xbox Game Bar on Windows, QuickTime on macOS) or third-party utilities (e.g., OBS Studio, Snagit, Loom) to conduct these recordings. Because many of these tools are not considered malicious, their use may not be flagged unless specifically configured for detection.