Windows 8 contacts cache exposes personal data

New Windows 8 Forensics Guide shows how a lingering cache of automatically collected contacts are stored unencrypted on a Windows 8 client

As you probably know, Windows 8 connects with all sorts of networks, social and otherwise. The Metro Mail app has built-in hooks for Hotmail, Gmail, and Exchange; Metro Photos links to Facebook and Flickr; the Metro People app (which stores contacts) can pull data from Hotmail, Gmail, Exchange, Facebook, Twitter, and LinkedIn. All you have to do is log on to Windows 8 with a Microsoft account, then go out and connect the online dots.

You might not know -- at least, I was very surprised to find -- that Windows 8 doesn't build its Contacts list dynamically. Instead, it keeps a cache of contacts from all of those sources stored on the machine. The cache persists even when the user logs off or the machine is turned off. That means anyone who can sign on to your PC with an administrator account can see all of your contacts and all of their data -- names, email addresses, pictures, telephone numbers, addresses -- whatever you have on file or whatever's been sucked in from Hotmail, Gmail, Facebook, Twitter, and LinkedIn.

I found out about the lingering contacts cache in a new white paper (PDF) from Amanda C.F. Thomson, a grad student at George Washington University in Washington, D.C. Her blog, appropriately entitled PropellerHeadForensics, digs deep into the contents of the AppData/Local and AppData/Roaming folders in Windows 8, a messy brew of intertwined hex files that contain all sorts of surprises.

The description that surprised me the most starts on page 40 of her paper. If you dig into the edbnnnnn.log files (where nnnnn is a number) in one of Windows 8's AppData/Local/Packages/microsoft.windowscommunicationsapps_8wekyb3d8bbwe/LocalState/LiveComm/<Microsoft Account>/<version>/DBStore/LogFiles folders, you find all of the user's contacts -- pictures, names, email addresses, and other details -- stored away in an appropriately obscure format. But the text is in the clear and the pictures can be ressurected fairly easily. Nothing's encrypted.

Of course, this is a corollary of the old axiom that if someone can physically compromise your machine, all your data belongs to them. Still, it amazes me that the whole enchilada can be reconstituted in a very straightforward manner. The unecrypted cache isn't hard to decipher at all.

Thomson's tome isn't without errors and omissions -- she missed the importance of the Microsoft/Windows/WinX folder in constructing the WinX menu (sometimes called the Power Users Tasks Menu), for example. But it's filled with all sorts of interesting observations, important not only for forensics experts but Windows 8 Admins and the idly curious as well.

This story, "Windows 8 contacts cache exposes personal data," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies