Identity Finder: What secrets are hidden in your computer?

Computerworld - My laptop was a ticking time bomb.

Deep within a nested hierarchy of folders in the machine's My Documents folder, in an archive eight levels down, sat 722 Social Security numbers. For nearly 10 years I had walked around with those Social Security numbers tucked away in my laptop as I carried it to trade shows, conferences and my office.

I was a walking data breach waiting to happen -- and I didn't know it until I was asked to review Identity Finder. Now I feel like the poster boy for why businesses need to think about using this type of product.

Identity Finder, from the company of the same name, is a discovery tool for home or business users that searches through data stored on individual Windows and Macintosh computers for personal data such as credit card, Social Security, bank account, driver's license and passport numbers; personal addresses, phone numbers, passwords -- even your mother's maiden name.

Identity Finder keeps a running tally of discovered identity data.
Click to view larger image

Choose your flavor

Identity Finder comes in Home, Professional and Enterprise versions for Windows, as well as a more limited Mac edition and a very limited free Windows version. Capabilities vary greatly between editions, so it's important to carefully compare features to make sure you buy what you need.

• On the low end, the Free Edition is limited to password and credit card number searches within browsers and the My Documents folder.
• Next in line is the Home Edition, which searches the full range of identity data types but doesn't allow custom searches, is limited to a set of common file types and won't search Outlook PST files. It also has no quarantine function. It costs $19.95 for a single-user license or $39.96 for a three-user license.
• The Professional Edition supports a broader range of file types, does a better job with e-mail, and supports the quarantine function. It can also scan for patient health data and payment card industry data. It costs $29.95 for a single-user license or $59.85 for a three-user license.
• On the high end, the Enterprise Edition can search Exchange Server e-mail files. It enables remote control of searches and receives results back from every desktop. It will search internal and external hard drives and personal storage areas on the network. It also can search server-based databases compatible with the Microsoft OLE DB API, and Web sites. There is an annual fee of $20 per seat plus $1,000 per server ($5,000 minimum), or you can opt for a one-time fee of $40 per person plus an annual maintenance fee of 20%-25%.

While Identify Finder's default search looks for Social Security, credit card and password data, the program's real power comes from its ability to perform "AnyFind" searches for generic identity data types. AnyFind expands the search to include bank account numbers, driver's license numbers, dates of birth, e-mail addresses, phone numbers and personal addresses.

You can also include additional search criteria, such as passport numbers, mother's maiden name and "worldwide," an option that searches for Social Security number equivalents used in other English-speaking countries. Finally, you can create custom identity types.

The Professional, Enterprise and Mac editions of Identity Finder allow you to search for specific data in a single search, or you can create a profile that includes specific criteria you want to search for every time you run Identity Finder and schedule regular scans after hours.

I tested Identity Finder Professional Edition on an IBM ThinkPad X60 and an older eMachines desktop PC, both running Windows XP, and an Acer Aspire 5516 laptop running Windows Vista. I also tested the Macintosh edition on a MacBook Pro running OS X 10.5.8.

Searching for identities

I started by running an Identity Finder scan on my recently retired Computerworld-issued ThinkPad using the default search settings. The process tied up my machine for several hours as Identity Finder sifted through more than 9GB of data, including all of my work files going back to May 2000. I then ran the Mac edition on my MacBook business laptop, which included the same set of data, before turning to a few of my own home (Windows) computers.

Identity Finder Pro initially presents a simple "wizard" interface that hides the advanced features of the product. It lets you run the default search for any instances of Social Security numbers, credit card numbers and passwords. You can also add categories, search for specific data within those categories, or go to the Advanced Interface to create more sophisticated searches.

Identity Finder has its own filters for a few specific file types, such as PDF and Microsoft Office 2007. For others, it uses the IFilter technology built into Windows, which is used by the Windows Desktop Search function.

It can read popular compressed file formats such as .zip and .tar, and it searches all data stored by Internet Explorer or Firefox (where it uncovered about 50 unencrypted passwords on my system). However, according to CEO Todd Feinman, Identity Finder has no plans to support other browsers, such as Chrome or Safari. It also can't read encrypted files, nor does it have the optical character recognition capability necessary to read sensitive data captured in images of invoices or other scanned documents.

However, the biggest limitation is around e-mail. The Professional edition supports searches of data stored locally by the Outlook, Outlook Express, Windows Mail and Thunderbird e-mail clients, well as any client that uses the mbox mail format, such as Eudora. However, if you use Exchange Server, you'll need the Enterprise edition to search either your locally cached or server-based copies of your mail and public folders. Identity Finder does not support other enterprise e-mail systems such as Lotus Notes.

Identity Finder also can't crawl data in the cloud, so if your company uses cloud-based e-mail like Gmail, or if you use your browser to access personal Web mail, as I do, you're out of luck. Because I use Gmail and Exchange, my search yielded no results associated with my e-mail accounts.

When I was done with my first pass (using the default AnyFind for Social Security numbers, credit card numbers and passwords), I had a report that included 858 files, most of which were Social Security numbers.