How can we find non-office files classificaiton information

ICT is able to place fingerprinting information on non-office files (e.g.: txt, wmv...) using Alternate Data Streams (ADS).

A company, using DLP, can take advantage of this labelling in order to trigger some DLP rules and leverage the use of the DLP.

This information is only stored on public, not encrypted, files.

Also, the fingerprinting information will only work on NTFS file systems and will be attached to the file until it is moved from the original system (e.g.: copied or moved to a different PC). So, this will work for information stored At Rest in a Windows NTFS file system.

In order to get this information, a user can do the following:

1. Open a command Line in the folder where the file is (Shift + right click on an empty area will show up the Open command window here option; alternatively you can perform what is in the screenshot below)

   2. Now type notepad [filename]:RWClassification.txt (if the filename has spaces, you should surround it with quotation marks notepad "[filename]:RWClassification.txt"). On the example below: notepad "New Text Document.txt:RWClassification.txt"

    3. A txt file will show up with the classification information, as you can see in the image above

    4. Alternatively, he can just check for classification information filename attached to the file - the alternate data streams associated to the file (e.g.: dir "New Text Document.txt" /r)