My buddy Aamir Lakhani posted about a really cool metadata tool called FOCA. The original post can be found HERE. Below is Aamir’s post about FOCA.
I would like to introduce you to one of my favorite network reconnaissance tools. It is called FOCA.
Did you know every time you create a document such as PowerPoint presentation, Microsoft Word document, or PDFs, metadata is left in the document?
What is metadata? metadata is data about data. It is descriptive information about a particular data set, object, or resource, including how it is formatted, and when and by whom it was collected. metadata can be useful to attackers because it contains useful information about the system where the file was created such as:
- Name of user logged into the system
- Software that created the document
- OS of the system that created the document
FOCA is a security audit tool that will examine metadata from domains. It uses search engines to find files on domains, or you can use your own local files.
The first step to use FOCA is to download it.
- FOCA can be downloaded at: http://www.informatica64.com/DownloadFOCA (use Google Translate)
- You will need to give your email address at the bottom of the screen. You will receive an email with the download link. You will also receive updates on when FOCA is updated.
- FOCA is a Windows only tool. When you install FOCA you may be asked to install .NET Framework or other decencies.
- We will be using FOCA 3.2 for this demo.
- The first thing after launching FOCA is to create a new project.
- I personally like to keep all my project files in one place. I will create a new folder for each project.
- Once you name your project and decide where you want to store the project files, click on the create button.
- Save your project file
- Hit the scan all button and FOCA will use search engines to scan for documents. Optionally you can use local documents as well.
- Right-click on the file and select “Download”
- Right-click on the file and select Extract metadata
- Right-click and Select Analyze metadata
In this example you can see from the metadata that me and my colleague opened this document.
You can also determine from the metadata that Microsoft Office for the Mac and Adobe Photoshop were used to create this document.
In many cases, attackers will be able to see much more information and gather intelligence about a target by using this tool.