Microsoft says it does a lot to protect user data within Windows 10, using various tools and security protocols. However, data recovery researcher Barnaby Skeggs has discovered a wide-open backdoor into Windows 8.1 and Windows 10 that could be a goldmine for data thieves.
The analyst says he has discovered a file system in Windows that keeps old emails and documents in an unencrypted state. This could leave users open to data theft without them knowing about it.
Whilst doing a system scan to find out if an email had been viewed, Skeggs discovered a file called WaitList.dat. He says this particular file was found on Windows 8.1 but has also been observed on Windows 10.
Skeggs explains the process and discovery in a blog post:
“I identified the ‘WaitList.dat' artefact while investigating a Windows 8.1 PC for the presence of a known email. I was provided with a copy of this email, and part of the investigation involved identifying whether or not this email ever existed on the custodian's computer. After processing the .PST and .OST mailbox archives on the PC, I did not identify the existence of the email.
“I then processed shadow copies, carved and processed for various mailbox stores and email files, and still did not identify the email. As a final attempt, I ran a string search for the email subject line across the whole forensic image. I received 1 hit within ‘WaitList.dat'. Investigation of this 140mb file identified metadata, and full body text of over 36'000 emails and documents, spanning back 3 years.”
Yes, this is a very worrying situation, but there are some important things to consider. Firstly, this file does not appear on every Win8.1 or Win10 system. That's because it only appears when handwriting recognition is enabled on those platforms.
Handwriting Recognition uses the Input Personalization System (IPS) to collect data and store it in “lexicon blobs”. The problem is, the features WaitList.dat file seems to be saving more than user handwritten data.
Skeggs founds the file also stores contact information, document contents, emails from Outlook, document IDs, and more.
“WaitList will store multiple indexes for a single document over time. This provides a forensic examiner the ability to view historical iterations of a file, even when shadow copy is not enabled, or when the file has been deleted/wiped from the hard drive… An email or document can be recorded in WaitList without being read or opened by the user.”
The data being stored in the file is confusing, but the file never deleting data and documents when they are deleted is more problematic. That means a document will be kept in WaitList even if the user has deleted it.