Reverse Engineering Unknown Data Structures: A 'Touching' Forensic Case Study

Barnaby Skeggs

Since the release of Windows 8, and the ‘Metro’ interface, touch screen input has been implemented in a rapidly increasing number of devices. New features such as handwriting recognition have been built into the Windows operating system to utilise the touch interface, and have been found to leave behind valuable forensic evidence.

Join Barnaby as he shares tips, tricks and lessons learnt from an investigation that led him to identify and reverse engineer 'WaitList.dat', a forensic artefact generated by SearchIndexer.exe to store user email and document content for the purpose of improving handwriting recognition on touch screen devices.

Speakers Bio: Barnaby is a Australian security geek who has worked internationally in Digital Forensics and Incident Response (DFIR). Whilst his strengths are in DFIR, he has a passion for all things security and enjoys learning and levelling up in both offensive and defensive security practices.

Follow Barnaby at or