Thursday, September 20, 2018

Windows 10 Handwriting feature "Ink Workspace" Index store scrapped for sensitive information

"Once (Windows 10 Handwriting feature "Ink Workspace") is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature," Skeggs says.

File Contents

The following data has been identified within WaitList.dat records.

Microsoft Outlook Email:
·        Date/Time
·        Email subject
·        Sent flag
·        Type (Email/Document/Contact)
·        Recipients (Does not distinguish between ‘To’, ‘CC’ and ‘BCC’) 
Note: Does not store ‘From’ value, however this can often be identified in email signatures)
·        Meeting Location (only when email is a calendar invite)
·        Body of file
·        Address
·        City
·        State
·        Country
·        Full Name
·        Title
·        Contact Details (email/phone/url)
Note: Contacts added from Skype/Lync may be recorded as a ‘sent’ email item, due to the way Outlook imports/stores the contact.
Documents (.pdf, .xlsx, .txt, .doc and .docx files have been tested):
·        Date/Time
·        DocumentID (use to compare document indexes over time) – format unknown
·        Body of file
·        Company
It is likely that other values are stored in additional data types, however this is the extent of data I have identified in my testing procedures.

Source :

No comments:

Post a Comment