Identity Finder Unearths Secrets Hidden in PCs, Macs

Identity Finder Pro initially presents a simple "wizard" interface that hides the advanced features of the product. It lets you run the default search for any instances of Social Security numbers, credit card numbers and passwords. You can also add categories, search for specific data within those categories, or go to the Advanced Interface to create more sophisticated searches.

Identity Finder has its own filters for a few specific file types, such as PDF and Microsoft Office 2007. For others, it uses the IFilter technology built into Windows, which is used by the Windows Desktop Search function.

It can read popular compressed file formats such as .zip and .tar, and it searches all data stored by Internet Explorer or Firefox (where it uncovered about 50 unencrypted passwords on my system). However, according to CEO Todd Feinman, Identity Finder has no plans to support other browsers, such as Chrome or Safari. It also can't read encrypted files, nor does it have the optical character recognition capability necessary to read sensitive data captured in images of invoices or other scanned documents.

However, the biggest limitation is around e-mail. The Professional edition supports searches of data stored locally by the Outlook, Outlook Express, Windows Mail and Thunderbird e-mail clients, well as any client that uses the mbox mail format, such as Eudora. However, if you use Exchange Server, you'll need the Enterprise edition to search either your locally cached or server-based copies of your mail and public folders. Identity Finder does not support other enterprise e-mail systems such as Lotus Notes.

Identity Finder also can't crawl data in the cloud, so if your company uses cloud-based e-mail like Gmail, or if you use your browser to access personal Web mail, as I do, you're out of luck. Because I use Gmail and Exchange, my search yielded no results associated with my e-mail accounts.

When I was done with my first pass (using the default AnyFind for Social Security numbers, credit card numbers and passwords), I had a report that included 858 files, most of which were Social Security numbers.

On the second pass, I had Identity Finder search on all nine identity data types that are found by the AnyFind feature and came back with an additional 234,709 results -- a totally unmanageable number. Lesson learned: Using the AnyFind feature on identity data types such as e-mails, addresses and phone numbers casts the net too widely. Practically speaking, the AnyFind function is useful only for more sensitive, structured account numbers such as those for bank accounts, credit cards and passports.

Using more specific search criteria in the other categories can help pare down the results. Even then, you can end up with very large result sets. Fortunately, you can apply filters to organize the data by location, identity data type or any other search criteria you choose.

What does Identity Finder find?

When I let Identity Finder Pro crawl my work computer, it found the following:

* 722 Social Security numbers, including federal tax IDs on contract documents, two instances of my Social Security number and my wife's number on a completed medical insurance PDF claim form that was never deleted, and a reference to my Social Security number in a personal letter asking a financial services company not to use it in identifying me.

* 119 passwords, including 50 stored in unencrypted form by Firefox, multiple usernames and passwords associated with various FTP download sites, several log-in names and passwords for conference calls, and a spreadsheet that contained more than 50 usernames and passwords for various online Web sites and accounts.

* 39 bank account numbers, 15 of which pointed to actual personal and professional accounts. These included my American Express credit card number from a downloaded and forgotten PDF statement, and a family member's Visa credit card number embedded in correspondence.

Identity Finder came up with very few false positives when it searched for passwords and Social Security numbers. I caught quite a few false positives with bank accounts, but to be fair, most were fake bank account numbers embedded in PowerPoint and PDF presentations. Likewise, all 31 birth dates discovered were fakes in sample data associated with a Microsoft Access demo and a PowerPoint presentation.

Product mentioned in this article

(1 items)

  • Identity Finder

    This data-shredding software is effective at finding and protecting personal information on a PC, but it's expensive.

Subscribe to the Security Watch Newsletter

Comments