I have been struggling to understand how exactly NTFS Extended file Attributes works. I'm studying the Data Loss Prevention(DLP) products (like Symantec, McAfee, Forcepoint DLP products). and in the DLP products, there has a mechanism that the DLP can insert a Classification ID into the file to classify the file so that even the file is sent out to another PC, the DLP still can track the file if the target PC installs DLP software as well. I want to know-how is the Classification ID embedded into the file, googled this a lot but still unsure of this.
Thanks in advance.
Data classification softwares do not use extended attribute for classification. Alternate data streams are used for some file formats. For MS Office files OpenXml and DsoFile can be used based on the file version. Here the classification ID is part of the data stream itself.