Tactical Fingerprinting using metadata, hidden info and lost data using FOCA

Chema Alonso, José Palazón “Palako”

2003 – a piece of history

Irak war was about to start US wanted the UK to be an ally. US sent a document “proving” the

existence of massive destruction weapons

Tony Blair presented the document to the UK parliament.

Parliament asked Tony Blair “Has someone modified the document?”

He answered: No

2003 – MS Word bytes Tony Blair

What kind of data can be found? Metadata:

Information stored to give information about the document.

▪ For example: Creator, Organization, etc.. Hidden information:

Information internally stored by programs and not editable.

▪ For example: Template paths, Printers, db structure, etc… Lost data:

Information which is in documents due to human mistakes or negligence, because it was not intended to be there.

▪ For example: Links to internal servers, data hidden by format, etc…

Metadata

Metadata Lifecycle

Lost Data

Hidden info

Wrong managementBad format conversionUnsecure options

New appsor program versions

Embeddedfiles

Search enginesSpidersDatabases

Embeddedfiles

Wrong managementBad format conversionUnsecure options

Metadata created by Google

Lost Data

Lost data everywhere

Public server

So… are people aware of this?

The answer is NO. Almost nobody is cleaning

documents. Companies publish thousands of

documents without cleaning them before with: Metadata. Hidden Info. Lost data.

Sample: FBI.gov

Total: 4841 files

Are they clean?

Total: 1075 files

How many files is my company publishing?

Sample: Printer info found in odf files returned by Google

Google Sets prediction

Sample: Info found in a PDF file

What files store Metadata, hidden info or lost data?

Office documents: Open Office documents. MS Office documents. PDF Documents.▪ XMP.

EPS Documents. Graphic documents.▪ EXIFF.▪ XMP.

And almost everything….

Pictures with GPS info..

EXIFREADER

http://www.takenet.or.jp/~ryuuji/

Demo: Looking for EXIF information in ODF file

Even Videos with users…

http://video.techrepublic.com.com/2422-14075_11-207247.html

And of course, printed txt

What can be found? Users:

Creators. Modifiers . Users in paths.

▪ C:\Documents and settings\jfoo\myfile

▪ /home/johnnyf Operating systems. Printers.

Local and remote. Paths.

Local and remote. Network info.

Shared Printers. Shared Folders. ACLS.

Internal Servers. NetBIOS Name. Domain Name. IP Address.

Database structures. Table names. Colum names.

Devices info. Mobiles. Photo cameras.

Private Info. Personal data.

History of use. Software versions.

How can metadata be extracted?

Info is in the file in raw format: Binary. ASCII .

Therefore Hex or ASCII editors can be used: HexEdit. Notepad++. Bintext

Special tools can be used: Exif redaer ExifTool Libextractor. Metagoofil. …

…or just open the file!

Tools: Libextractor

Tools: MetaGoofil

http://www.edge-security.com/metagoofil.php

Yes, also Google….

Your FBI user

Your UN user

Your Scotland Yard user

Your Carabinieri user

Your WhiteHouse user

Yes, we can!

Drawbacks

These tools only extract metadata. Not looking for Hidden Info. Not looking for lost data. Not post-analysis.

Only Metadata

http://gnunet.org/libextractor/demo.php3

Not very good with XML files (SWX, ODF, OOXML)

Google is [almost] GOD

Filetype or Extension?

Foca

Fingerprinting Organizations with Collected Archives. Search for documents in Google and Bing Automatic file downloading Capable of extracting Metadata, hidden

info and lost data Cluster information Analyzes the info to fingerprint the

network.

Demo: FOCA

FOCA Onlinehttp://www.informatica64.com/FOCA

Solutions?

First: Clean all public documents

Clean your documents:MSOffice 2k7

Clean your documents: MSOffice 2k3 & XP

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360

OLE Streams

In MS Office binary format files Store information about the OS Are not cleaned with these Tools FOCA finds this info

Demo: Looking for info in cleaned document

OpenOffice cleaning options

Only metadata Not cleaning hidden info Not cleaning lost data

Cleaning documents OOMetaExtractor

http://www.codeplex.org/oometaextractor

Demo: OpenOffice “Security” Options…

Are you safe relying on your users?

IIS MetaShield Protector

http://www.metashieldprotector.com

Second: Beg Google to delete all the cached files

Don´t trust your users!!!

Don´t complain about your job!!

PS: This file also has metadata

Thanks

Authors Chema Alonso▪ chema@informatica64.com

Jose Palazón “Palako”▪ palako@lateatral.com

Enrique Rando▪ Enrique.rando@juntadeandalucia.es

Alejandro Martín▪ amartin@informatica64.com

Francisco Oca▪ froca@informatica64.com

Antonio Guzmán▪ antonio.guzman@urjc.es