User wants to know ICT file classification

RightsWATCH uses the RightsWATCHMark as the main way to store classification information. This mark has the format:

But not all files behave the same way, either by different metadata support on Windows Explorer or by the way the information must be encoded.

RMS protected Office files

The RightsWATCHMark property is clearly accessible through the file Properties on the Custom Tab:

All Office files (with or without RMS protection)

For some reason, windows explorer does not display the Custom Properties tab when the files aren't protected with RMS. Here's how to access the RightsWATCHMark property using Office 2013 (other versions are similar):

1. Access "File" and then "Info"
2. Access "Advanced Properties"                                                                                                                                                                                                                                  

3. The RightsWATCHMark is available on the Custom tab                                                                                                                                                                                                                                                                                                                                                             All RMS protected non-Office files (pfiles)                                                                                                                                                                                                                When opening pfiles using the RMS Sharing App, the classification level is clearly visible on the the top.

For automation, RMS Protected Files (pfiles) are "binary" files with an embedded XrML (eXtensible rights Markup Language) for rights definition. Completely parsing of the XML content isn't necessary to extract the classification level, which is clearly visible on a text editor and should be easy to extract using text searching or regular expressions:

To extract the level, any tool can look for the first occurrence of the <NAME> tag which encloses the classification level.

Extracting the Information Unique Identifier is a similar process, it's one of the properties of the <WORK> mark:

ICE protected files

ICE uses HTML to encapsulate encrypted files and ICT tag is available on the initial comment:

Non-RMS protected PDF files

Classification is stored in document info dictionary (DID) and can be obtained from /RightsWATCHMark at the end of the PDF file:

The classification level is encoded using base64 which is trivial to decode, eg:

To obtain the base64 string for the RightsWATCHMark for an arbitrary level, the suggested way is to encode a file with the level and then checking the encoded string on the file.

Please note:

• This only applies to public (non-encrypted) files, meaning only a few levels need to be handled this way;
• The Unique Information Identifier for public files is always the same (00000000-0000-0000-0000-000000000000), meaning the tag has exactly the same value for any file classified with the same level.

Non-RMS protected image files

Part of image metadata for TIFF, PNG, JPEG and GIF files. Windows Explorer does provide mechanisms to access it.

Automated way to get classification

The attached PowerShell may be used to determine file classification and GUID (with RMS). It accepts either a single file or directory and will scan classification information, recursively if passed a directory. If no parameter is passed, it will scan the current directory.

Example with a single file:

On current directory with selected output:

The output should be acurate and will not care with for file extensions/type. Exceptions:

• Office 97-2003 may give false positives if the files contain as the string "RightsWATCHMark" followed by a string ressembling a data classification tag (unlikely);
• Office 2007 onwards (docx, xlsx and pptx) must keep the original extensions, as to avoid unziping any ZIP files found.

Other Files: Via Command Prompt

In order to get this information, a user can do the following:

1. Open a command Line in the folder where the file is (Shift + right click on an empty area will show up the Open command window here option; alternatively you can perform what is in the screenshot below)
   
2. Now type notepad [filename]:RWClassification.txt (if the filename has spaces, you should surround it with quotation marks notepad "[filename]:RWClassification.txt"). On the example below: notepad "New Text Document.txt:RWClassification.txt"
   
3. A txt file will show up with the classification information, as you can see in the image above
4. Alternatively, he can just check for classification information filename attached to the file - the alternate data streams associated to the file (e.g.: dir "New Text Document.txt" /r)