User wants to know ICT file classification
RightsWATCH uses the RightsWATCHMark as the main way to store classification information. This mark has the format:
But not all files behave the same way, either by different metadata support on Windows Explorer or by the way the information must be encoded.
RMS protected Office files
The RightsWATCHMark property is clearly accessible through the file Properties on the Custom Tab:
For some reason, windows explorer does not display the Custom Properties tab when the files aren't protected with RMS. Here's how to access the RightsWATCHMark property using Office 2013 (other versions are similar):
The RightsWATCHMark is available on the Custom tab All RMS protected non-Office files (pfiles) When opening pfiles using the RMS Sharing App, the classification level is clearly visible on the the top.
For automation, RMS Protected Files (pfiles) are "binary" files with an embedded XrML (eXtensible rights Markup Language) for rights definition. Completely parsing of the XML content isn't necessary to extract the classification level, which is clearly visible on a text editor and should be easy to extract using text searching or regular expressions:
To extract the level, any tool can look for the first occurrence of the
<NAME> tag which encloses the classification level.
Extracting the Information Unique Identifier is a similar process, it's one of the properties of the
ICE uses HTML to encapsulate encrypted files and ICT tag is available on the initial comment:
Classification is stored in document info dictionary (DID) and can be obtained from /RightsWATCHMark at the end of the PDF file:
The classification level is encoded using base64 which is trivial to decode, eg:
To obtain the base64 string for the RightsWATCHMark for an arbitrary level, the suggested way is to encode a file with the level and then checking the encoded string on the file.
Part of image metadata for TIFF, PNG, JPEG and GIF files. Windows Explorer does provide mechanisms to access it.
The attached PowerShell may be used to determine file classification and GUID (with RMS). It accepts either a single file or directory and will scan classification information, recursively if passed a directory. If no parameter is passed, it will scan the current directory.
Example with a single file:
On current directory with selected output:
The output should be acurate and will not care with for file extensions/type. Exceptions:
In order to get this information, a user can do the following: