Those with a touchscreen or stylus capable Windows PC are most likely in love with the smart feature that allows a handwritten scribble to become formatted text. Introduced in Windows 8, the handwriting recognition tool was implemented with the goal of easing a user’s experience. 

The handwritten recognition tool has the capability of storing all previous texts in order to better interpret stylus scribbling and suggest corrections. All data is saved, collected and compiled into a file called WaitList.dat.

A Digital Forensics and Incident Response (DFIR) expert, Barnaby Skeggs, was the one to highlight the handwritten recognition tool. In an interview with ZDnet he reviewed complications, “The user doesn’t even have to open the file/email, so long as there is a copy of the file on disk, and the file’s format is supported by the Microsoft Search Indexer service,”.   

While this isn’t meant to be a major vulnerability, it ultimately poses a risk. WaitList.dat collects texts from other sources on the device that includes written text, like emails, written documents, passwords, and usernames.

Skeggs went on to elaborate that WaitList.dat could also recover text from deleted documents, “If the source file is deleted, the index remains in WaitList.dat, preserving a text index of the file.”

To a digital forensics expert like Skeggs this provides all the evidence he needs to show a document had once existed– as well as it’s data.

As mentioned before, the purpose of the handwritten recognition tool was to simply aid a user, not hinder them. PC users that are utilizing this tool may need to have extra precautions, but won’t be in danger unless their device is targeted.

If you’re looking to resolve this potential security issue, you can manually go to the following address and delete WaitList.dat. Skeggs listed the typical location of the file: C:\Users\%User%\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat