AnsweredAssumed Answered

Windows May Be Storing All Your Email and Docs as Unencrypted Plaintext

Question asked by kingfish on Sep 22, 2018
Latest reply on Sep 23, 2018 by hardcoregames™

"WaitList.dat isn’t a file you’ll find on every Windows 10 system, my own rig, for example, lacks this file. It’s only going to be found if you’ve enabled handwriting recognition in either Windows 8.1 or Windows 10. "



"WaitList.dat contains Outlook emails, contact information, and the contents of various types of documents, including date/time, document IDs, the body of the files in question, and the company those files originated from. Skeggs writes:

WaitList will store multiple indexes for a single document over time. This provides a forensic examiner the ability to view historical iterations of a file, even when shadow copy is not enabled, or when the file has been deleted/wiped from the hard drive… An email or document can be recorded in WaitList without being read or opened by the user.

Because data stored within WaitList.dat isn’t deleted when documents are removed, it can also be used to recover information from a PC. Data within the WaitList.dat file is populated by the Windows Search Indexer. Skeggs has written a program in Python, WLrip, which can be used to export data in the file into TXT files, with each entry in the file receiving its own TXT. Metadata is reported in a separate CSV file. You can download the utility and view his report here.

There’s no word on why Microsoft thought it was a good idea to build a handwriting recognition system that functioned in part by building a comprehensive index of every document on a PC. While this will only affect systems with handwriting recognition enabled, the fact that this happened at all is concerning given the indiscriminate nature of the data collection."

Windows May Be Storing All Your Email and Docs as Unencrypted Plaintext - ExtremeTech