When you find yourself one of the persons who own a stylus or touchscreen-capable Windows PC, then there’s a high chance a few file using your laptop that has slowly collected sensitive data for the past months or simply years.
This file known as WaitList.dat, and based on Digital Forensics and Incident Response (DFIR) expert Barnaby Skeggs, this file can only be found on touchscreen-capable Windows PCs where the user has enabled the handwriting recognition feature [1, 2] that automatically translates stylus/touchscreen scribbles into formatted text.
The handwriting to formatted text conversion feature might have been added in Windows 8, which means that the WaitList.dat file ‘s been around for years.
The function of this file would likely be to store text to help Windows improve its handwriting recognition feature, to make sure you recognize and suggest corrections or words a user is using more frequently than others.
“In my testing, population of WaitList.dat commences when you finally begin using handwriting gestures,” Skeggs told Softwareonlinedeal especially in an interview. “This ‘flicks the switch’ (registry key) to make the text harvester functionality (which generates WaitList.dat) on.”
“Once its on, text of the many document and email which is certainly indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just for the files interacted by means of touchscreen writing feature,” Skeggs says.
Since Windows Search Indexer service powers the system-wide Windows Search functionality, this suggests data most text-based files found on a computer, like the emails or Office documents, is gathered from the WaitList.dat file. It doesn’t include only metadata, however, the actual document’s text.
“The user doesn’t even have to open the file/email, providing there is a copy using the file on disk, as well file’s format is supported by the Microsoft Search Indexer service,” Skeggs told Softwareonlinedeal.
“On my PC, within my many test cases, WaitList.dat contained a text extract with the document or email file at the system, regardless of whether the source file had since been deleted,” the researcher added.
Furthermore, Skeggs says WaitList.dat are useful to recover text from deleted documents.
“If what file is deleted, the index remains in WaitList.dat, preserving a text index of your respective file,” he said. This provides crucial forensic evidence for analysts like Skeggs that your particular file as well as the content had once existed on just the PC.
The technique and the presence of this file tend to be one of the best-kept secrets in the arena of DFIR and infosec experts. Skeggs wrote your blog post post towards the WaitList.dat file to incorporate financing 2016, but his discovery got little coverage, mostly because his initial analysis aimed at the DFIR aspect and don’t on the privacy concerns which could arise from the file’s existence upon a computer.
But recently, Skeggs tweeted about an interesting scenario. In particular, if an attacker has access on to a system or has infected that system with malware, and then he needs to collect passwords that may have not been stored inside browser databases or password manager vaults, WaitList.dat has an alternative strategy to recovering plenty of passwords in a single quick swoop.
Skeggs states that instead of searching your entire disk for documents that may contain passwords, an assailant or malware strain has the capability to grab the WaitList.dat appear for passwords using simple PowerShell commands.
Skeggs never contacted Microsoft about his findings, as they, himself, recognized how the was a a natural part of an intended functionality throughout the Windows OS, and don’t a vulnerability.
This file is not totally dangerous unless users help the handwriting recognition feature, and even in those scenarios, unless a threat actor compromises anyone’s system, through either malware or via physical access.
Evidently this may not be a security issue, users focused upon their data privacy probably know that with the handwriting recognition feature, loads of taxis inadvertently having a giant database with all the different text-based files with their systems in one central location.
In step with Skeggs, the default location of that file is a:
Only a few users might possibly be storing passwords in emails or text-based files to their PCs, but those do may want to delete the file or disable “Personalised Handwriting Recognition” feature to their operating system’s settings panel.
The federal government 2016, Skeggs also released two apps[1, 2] for analyzing and extracting understanding of the text harvested in WaitList.dat files.