Chema Alonso, José Palazón “Palako”<br />Tactical Fingerprinting using metadata, hidden info and lost data using FOCA<br />
2003 – a piece of history<br />Irak war was about to start<br />US wanted the UK to be an ally. <br />US sent a document “...
2003 – MS Word bytes Tony Blair<br />
What kind of data can be found?<br />Metadata:<br />Information stored to give information about the document.<br />For ex...
Metadata<br />Metadata Lifecycle<br />Wrongmanagement<br />Badformatconversion<br />Unsecureoptions<br />Wrongmanagement<b...
Metadatacreatedby Google<br />
Lost Data<br />
Lost data everywhere<br />
Public server<br />
So… are people aware of this? <br />The answer is NO.<br />Almost nobody is cleaning documents.<br />Companies publish tho...
Sample: FBI.gov<br />Total:  4841 files<br />
Are theyclean?<br />Total:  1075 files<br />
Howmany files is my companypublishing?<br />
Sample: Printer info found in odf files returned by Google<br />
Google Sets prediction<br />
Sample: Info found in a PDF file<br />
What files store Metadata, hidden info or lost data?<br />Office documents:<br />Open Office documents.<br />MS Office doc...
Pictureswith GPS info..<br />EXIFREADER<br />http://www.takenet.or.jp/~ryuuji/<br />
Demo: Lookingfor EXIF information in ODF file<br />
Even Videos withusers…<br />http://video.techrepublic.com.com/2422-14075_11-207247.html<br />
And of course, printedtxt<br />
What can be found? <br />Users:<br />Creators.<br />Modifiers .<br />Users in paths.<br />C:Documents and settingsjfoomyfi...
How can metadata be extracted?<br />Info is in the file in raw format:<br />Binary.<br />ASCII .<br />Therefore Hex or ASC...
Tools: Libextractor<br />
Tools: MetaGoofil<br /><ul><li>http://www.edge-security.com/metagoofil.php</li></li></ul><li>Yes, also Google….<br />
Your FBI user<br />
Your UN user<br />
YourScotlandYarduser<br />
YourCarabinieriuser<br />
YourWhiteHouseuser<br />
Yes, we can!<br />
Drawbacks<br />These tools only extract metadata.<br />Not looking for Hidden Info.<br />Not looking for lost data.<br />N...
OnlyMetadata<br />http://gnunet.org/libextractor/demo.php3<br />
Notverygoodwith XML files (SWX, ODF, OOXML)<br />
Google is [almost] GOD<br />
FiletypeorExtension?<br />
Foca<br />Fingerprinting  Organizations with Collected Archives.<br />Search for documents in Google and Bing<br />Automat...
Demo: FOCA<br />
FOCA Online<br />http://www.informatica64.com/FOCA<br />
Solutions?<br />
First: Cleanallpublicdocuments<br />
Clean your documents:MSOffice 2k7<br />
Clean your documents: MSOffice 2k3 & XP<br />http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e5...
OLE Streams<br />In MS Office binaryformat files<br />Storeinformationaboutthe OS<br />Are notcleanedwiththese Tools<br />...
Demo: Lookingforinfo in cleaneddocument<br />
OpenOfficecleaningoptions<br />Onlymetadata<br />Notcleaninghiddeninfo<br />Notcleaninglost data<br />
Cleaning documents<br />OOMetaExtractor<br />http://www.codeplex.org/oometaextractor<br />
Demo: OpenOffice “Security” Options…<br />
Are yousaferelyingonyourusers?<br />
IIS MetaShield Protector<br />http://www.metashieldprotector.com<br />
Second: Beg Google todeleteallthecached files<br />
Don´t trust your users!!!<br />
Don´tcomplainaboutyourjob!!<br />
PS: Thisfilealso has metadata<br />
Thanks<br />Authors<br />Chema Alonso<br />chema@informatica64.com<br />Jose Palazón “Palako”<br />palako@lateatral.com<br...
Defcon 17   Tactical Fingerprinting using Foca
Upcoming SlideShare
Loading in...5
×

Defcon 17 Tactical Fingerprinting using Foca

7,879

Published on

Talk delivered by Chema Alonso and José Palazón "Palako" in Defcon 17 about "Tactical Fingerprinting using metadata, hidden info and lost data".

Published in: Technology, Business
1 Comment
3 Likes
Statistics
Notes
No Downloads
Views
Total Views
7,879
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
259
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide

Defcon 17 Tactical Fingerprinting using Foca

  1. 1. Chema Alonso, José Palazón “Palako”<br />Tactical Fingerprinting using metadata, hidden info and lost data using FOCA<br />
  2. 2. 2003 – a piece of history<br />Irak war was about to start<br />US wanted the UK to be an ally. <br />US sent a document “proving” the existence of massive destruction weapons <br />Tony Blair presented the document to the UK parliament.<br />Parliament asked Tony Blair “Has someone modified the document?”<br />He answered: No<br />
  3. 3. 2003 – MS Word bytes Tony Blair<br />
  4. 4. What kind of data can be found?<br />Metadata:<br />Information stored to give information about the document.<br />For example: Creator, Organization, etc..<br />Hidden information:<br />Information internally stored by programs and not editable.<br />For example: Template paths, Printers, db structure, etc…<br />Lost data:<br />Information which is in documents due to human mistakes or negligence, because it was not intended to be there.<br />For example: Links to internal servers, data hidden by format, etc…<br />
  5. 5. Metadata<br />Metadata Lifecycle<br />Wrongmanagement<br />Badformatconversion<br />Unsecureoptions<br />Wrongmanagement<br />Badformatconversion<br />Unsecureoptions<br />New apps<br />orprogram<br />versions<br />Searchengines<br />Spiders<br />Databases<br />Embedded<br />files<br />Hiddeninfo<br />Lost Data<br />Embedded<br />files<br />
  6. 6. Metadatacreatedby Google<br />
  7. 7. Lost Data<br />
  8. 8. Lost data everywhere<br />
  9. 9. Public server<br />
  10. 10. So… are people aware of this? <br />The answer is NO.<br />Almost nobody is cleaning documents.<br />Companies publish thousands of documents without cleaning them before with:<br />Metadata.<br />Hidden Info.<br />Lost data.<br />
  11. 11.
  12. 12. Sample: FBI.gov<br />Total: 4841 files<br />
  13. 13.
  14. 14. Are theyclean?<br />Total: 1075 files<br />
  15. 15. Howmany files is my companypublishing?<br />
  16. 16. Sample: Printer info found in odf files returned by Google<br />
  17. 17. Google Sets prediction<br />
  18. 18. Sample: Info found in a PDF file<br />
  19. 19. What files store Metadata, hidden info or lost data?<br />Office documents:<br />Open Office documents.<br />MS Office documents.<br />PDF Documents.<br />XMP.<br />EPS Documents.<br />Graphic documents.<br />EXIFF.<br />XMP.<br />And almost everything….<br />
  20. 20. Pictureswith GPS info..<br />EXIFREADER<br />http://www.takenet.or.jp/~ryuuji/<br />
  21. 21. Demo: Lookingfor EXIF information in ODF file<br />
  22. 22. Even Videos withusers…<br />http://video.techrepublic.com.com/2422-14075_11-207247.html<br />
  23. 23. And of course, printedtxt<br />
  24. 24. What can be found? <br />Users:<br />Creators.<br />Modifiers .<br />Users in paths.<br />C:Documents and settingsjfoomyfile<br />/home/johnnyf<br />Operating systems.<br />Printers.<br />Local and remote.<br />Paths.<br />Local and remote.<br />Network info.<br />Shared Printers.<br />Shared Folders.<br />ACLS.<br />Internal Servers.<br />NetBIOS Name.<br />Domain Name.<br />IP Address.<br />Database structures.<br />Table names.<br />Colum names.<br />Devices info.<br />Mobiles.<br />Photo cameras.<br />Private Info.<br />Personal data.<br />History of use.<br />Software versions.<br />
  25. 25. How can metadata be extracted?<br />Info is in the file in raw format:<br />Binary.<br />ASCII .<br />Therefore Hex or ASCII editors can be used:<br />HexEdit.<br />Notepad++.<br />Bintext<br />Special tools can be used:<br />Exifredaer<br />ExifTool<br />Libextractor.<br />Metagoofil.<br />…<br />…or just open the file!<br />
  26. 26. Tools: Libextractor<br />
  27. 27. Tools: MetaGoofil<br /><ul><li>http://www.edge-security.com/metagoofil.php</li></li></ul><li>Yes, also Google….<br />
  28. 28. Your FBI user<br />
  29. 29. Your UN user<br />
  30. 30. YourScotlandYarduser<br />
  31. 31. YourCarabinieriuser<br />
  32. 32. YourWhiteHouseuser<br />
  33. 33. Yes, we can!<br />
  34. 34. Drawbacks<br />These tools only extract metadata.<br />Not looking for Hidden Info.<br />Not looking for lost data.<br />Not post-analysis.<br />
  35. 35. OnlyMetadata<br />http://gnunet.org/libextractor/demo.php3<br />
  36. 36. Notverygoodwith XML files (SWX, ODF, OOXML)<br />
  37. 37. Google is [almost] GOD<br />
  38. 38. FiletypeorExtension?<br />
  39. 39. Foca<br />Fingerprinting Organizations with Collected Archives.<br />Search for documents in Google and Bing<br />Automatic file downloading<br />Capable of extracting Metadata, hidden info and lost data<br />Cluster information <br />Analyzes the info to fingerprint the network.<br />
  40. 40. Demo: FOCA<br />
  41. 41. FOCA Online<br />http://www.informatica64.com/FOCA<br />
  42. 42. Solutions?<br />
  43. 43. First: Cleanallpublicdocuments<br />
  44. 44. Clean your documents:MSOffice 2k7<br />
  45. 45. Clean your documents: MSOffice 2k3 & XP<br />http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360<br />
  46. 46. OLE Streams<br />In MS Office binaryformat files<br />Storeinformationaboutthe OS<br />Are notcleanedwiththese Tools<br />FOCA findsthisinfo<br />
  47. 47. Demo: Lookingforinfo in cleaneddocument<br />
  48. 48. OpenOfficecleaningoptions<br />Onlymetadata<br />Notcleaninghiddeninfo<br />Notcleaninglost data<br />
  49. 49. Cleaning documents<br />OOMetaExtractor<br />http://www.codeplex.org/oometaextractor<br />
  50. 50. Demo: OpenOffice “Security” Options…<br />
  51. 51. Are yousaferelyingonyourusers?<br />
  52. 52. IIS MetaShield Protector<br />http://www.metashieldprotector.com<br />
  53. 53. Second: Beg Google todeleteallthecached files<br />
  54. 54. Don´t trust your users!!!<br />
  55. 55. Don´tcomplainaboutyourjob!!<br />
  56. 56. PS: Thisfilealso has metadata<br />
  57. 57. Thanks<br />Authors<br />Chema Alonso<br />chema@informatica64.com<br />Jose Palazón “Palako”<br />palako@lateatral.com<br />Enrique Rando<br />Enrique.rando@juntadeandalucia.es<br />Alejandro Martín<br />amartin@informatica64.com<br />Francisco Oca<br />froca@informatica64.com<br />Antonio Guzmán<br />antonio.guzman@urjc.es<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×