Were My Office Documents Leaked? -- Redmondmag.com

Were My Office Documents Leaked?

Something strange happens when you explore an attached disk in Windows.

By Brien Posey
11/01/2022

Recently, I had a somewhat unnerving experience that ultimately taught me something about the way that Windows handles application data behind the scenes. The whole experience was so bizarre that I just had to share it with you and explain why it happened.

Last month a close family member passed away and I was tasked with cleaning out his home and settling his estate. Naturally, one of the first things that I did in my quest to locate information was to remove the hard drive from his computer. This particular family member lived several hundred miles away and so bringing his hard drive home with me would allow me to search for relevant documents at my leisure once I got back home.

Upon returning home I mounted the hard drive into an external disk caddy and attached it to my primary desktop PC by way of a USB cable. The first thing that I did was to search the drive for Microsoft Word documents. That's when things started to get weird. Windows displayed some of my own Word documents among the search results.

Initially I was confused as to why a handful of my Word documents would have been on someone else's hard drive, but I didn't really think all that much about it. I was too focused on trying to locate the information that I needed. However, that all changed when I began searching for other file formats. A search of *.xlsx revealed a document related to my tax return from last year. A search of *.jpg revealed some pictures from my GoPro and some of my Flight Simulator screen captures.

Needless to say, I was starting to become really concerned. As far as I can remember, I had only ever used that particular computer one time in the past. I had visited my relative in July and during that visit he had asked me to fix a minor problem that he was having with his Web browser. I had never logged in using my own account or anything like that. Similarly, I had never shared any of my passwords with him. I was completely perplexed as to how my data could end up on someone else's computer, especially being that I had only ever touched the computer that one time. I wondered if the computer had been infected with malware and somehow I had spread it to my system at home.

It took me a little while to figure out what was going on, but ultimately I discovered that my data had not been copied to my relative's computer as it seemed. It was all an illusion.

The hard drive from my relative's computer was a system drive and contained a copy of Windows 10. However, I had never tried to boot from this drive because I do not know my relative's password. Instead, I had simply connected the disk to my own system so that I could search its contents, completely bypassing the disk's operating system in the process.

When I searched for documents, images and that sort of thing, Windows displayed a mixture of results. Many of the results were files belonging to my relative, but there were also quite a few of my own documents listed within the search results. As I began to further scrutinize the results, I realized that all of the data that belonged to me was stored in one of the subfolders beneath \ProgramData\Application Data. Windows has several folders that are actually NTFS junction points, meaning that these folders act as links to other folders. When my search reached the \Program Data\Application Data folder, Windows redirected the search to my machine's C: drive, but listed the contents of the C: drive among the external drive's contents. However, the path to those files was shown as E: (the drive letter associated with the external drive), not C:. In other words, the search results made it appear as though the contents of C:\ProgramData\ Application Data had been copied to E:\Program Data\Application Data.

To confirm that the data that I was seeing was just the result of an NTFS junction point and that my Office data had not been leaked, I removed the external disk and attached it to a different machine and performed a document search. The search results were completely different depending on which computer the disk was attached to.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.

Featured

Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.
PowerShell Script Used in Phishing Attack May Be AI-Generated

A PowerShell script being used in a novel malware campaign may have been created by AI, according to security researchers at Proofpoint.