Q: How is NTFS file classification data stored?

A: Classifying data has become a more important capability to organizations and is native to Windows Server 2008 R2 and later. Data classification properties are stored in several ways. For all data, classification data is stored as an NTFS alternate data stream, which can be seen if you examine a file with classification data (notice the FSRM stream):

PS E:\UNSC> get-item .\master_chief_eyes.jpg -Stream *

 

FileName: E:\UNSC\master_chief_eyes.jpg

Stream Length
------ ------
:$DATA 39060
FSRM{ef88c031-595... 144

Using NTFS alternate data streams allows the classification to follow the data, provided it's moved or copied between NTFS volumes. But it would be lost if moved to non-NTFS volumes, which includes ReFS (which does not support alternate data streams), or if the data is attached in something such as an email.

For Office documents, the classification data is also stored within the application data. This means the classification travels with the document, if loaded to SharePoint.

In Windows Server 2012, the classification data is also stored in the security descriptor of the data to allow authorization control based on classification (Dynamic Access Control).