Your IT Consultant
Information Technology Blog
by John W. Simek, Vice President of Sensei Enterprises, Inc.
Windows File May Be Capturing Your Passwords and Email
September 27, 2018
ZDNet reported there is a very high probability that Windows has been slurping up your email messages and passwords if you are using a touch screen or stylus capable Windows machine. According to Digital Forensics and Incident Response (DFIR) expert Barnaby Skeggs, if a user has enabled the handwriting and recognition feature, the formatted text is stored in a file called WaitList.dat. The purpose of WaitList.dat is to store text to help Windows improve its handwriting recognition feature by suggesting corrections or words that a user uses more often than others.
Skeggs said, "In my testing, population of WaitList.dat commences after you begin using handwriting gestures. This 'flicks the switch' (registry key) to turn the text harvester functionality (which generates WaitList.dat) on. Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature."
The Windows Search Indexer service drives the system-wide Windows Search functionality, this means data from all text-based files found on a computer, such as emails or Office documents, is gathered inside the WaitList.dat file. The data remains in WaitList.dat even if the original file is deleted. To see if your system may be storing data in WaitList.dat, navigate to C:\Users\%User%\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat.
E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com