Defcon 17   Tactical Fingerprinting using Foca
Upcoming SlideShare
Loading in...5
×
 

Defcon 17 Tactical Fingerprinting using Foca

on

  • 10,705 views

Talk delivered by Chema Alonso and José Palazón "Palako" in Defcon 17 about "Tactical Fingerprinting using metadata, hidden info and lost data".

Talk delivered by Chema Alonso and José Palazón "Palako" in Defcon 17 about "Tactical Fingerprinting using metadata, hidden info and lost data".

Statistics

Views

Total Views
10,705
Views on SlideShare
10,117
Embed Views
588

Actions

Likes
3
Downloads
244
Comments
1

10 Embeds 588

http://elladodelmal.blogspot.com 249
http://www.elladodelmal.com 225
http://www.cyberhades.com 83
http://www.slideshare.net 21
http://www.slideee.com 3
file:// 2
http://us-w1.rockmelt.com 2
http://74.125.79.132 1
http://www.newsgator.com 1
http://blsspapp1.psb.bls.gov:43177 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Defcon 17   Tactical Fingerprinting using Foca Defcon 17 Tactical Fingerprinting using Foca Presentation Transcript

  • Chema Alonso, José Palazón “Palako”
    Tactical Fingerprinting using metadata, hidden info and lost data using FOCA
  • 2003 – a piece of history
    Irak war was about to start
    US wanted the UK to be an ally.
    US sent a document “proving” the existence of massive destruction weapons
    Tony Blair presented the document to the UK parliament.
    Parliament asked Tony Blair “Has someone modified the document?”
    He answered: No
  • 2003 – MS Word bytes Tony Blair
  • What kind of data can be found?
    Metadata:
    Information stored to give information about the document.
    For example: Creator, Organization, etc..
    Hidden information:
    Information internally stored by programs and not editable.
    For example: Template paths, Printers, db structure, etc…
    Lost data:
    Information which is in documents due to human mistakes or negligence, because it was not intended to be there.
    For example: Links to internal servers, data hidden by format, etc…
  • Metadata
    Metadata Lifecycle
    Wrongmanagement
    Badformatconversion
    Unsecureoptions
    Wrongmanagement
    Badformatconversion
    Unsecureoptions
    New apps
    orprogram
    versions
    Searchengines
    Spiders
    Databases
    Embedded
    files
    Hiddeninfo
    Lost Data
    Embedded
    files
  • Metadatacreatedby Google
  • Lost Data
  • Lost data everywhere
  • Public server
  • So… are people aware of this?
    The answer is NO.
    Almost nobody is cleaning documents.
    Companies publish thousands of documents without cleaning them before with:
    Metadata.
    Hidden Info.
    Lost data.
  • Sample: FBI.gov
    Total: 4841 files
  • Are theyclean?
    Total: 1075 files
  • Howmany files is my companypublishing?
  • Sample: Printer info found in odf files returned by Google
  • Google Sets prediction
  • Sample: Info found in a PDF file
  • What files store Metadata, hidden info or lost data?
    Office documents:
    Open Office documents.
    MS Office documents.
    PDF Documents.
    XMP.
    EPS Documents.
    Graphic documents.
    EXIFF.
    XMP.
    And almost everything….
  • Pictureswith GPS info..
    EXIFREADER
    http://www.takenet.or.jp/~ryuuji/
  • Demo: Lookingfor EXIF information in ODF file
  • Even Videos withusers…
    http://video.techrepublic.com.com/2422-14075_11-207247.html
  • And of course, printedtxt
  • What can be found?
    Users:
    Creators.
    Modifiers .
    Users in paths.
    C:Documents and settingsjfoomyfile
    /home/johnnyf
    Operating systems.
    Printers.
    Local and remote.
    Paths.
    Local and remote.
    Network info.
    Shared Printers.
    Shared Folders.
    ACLS.
    Internal Servers.
    NetBIOS Name.
    Domain Name.
    IP Address.
    Database structures.
    Table names.
    Colum names.
    Devices info.
    Mobiles.
    Photo cameras.
    Private Info.
    Personal data.
    History of use.
    Software versions.
  • How can metadata be extracted?
    Info is in the file in raw format:
    Binary.
    ASCII .
    Therefore Hex or ASCII editors can be used:
    HexEdit.
    Notepad++.
    Bintext
    Special tools can be used:
    Exifredaer
    ExifTool
    Libextractor.
    Metagoofil.

    …or just open the file!
  • Tools: Libextractor
  • Tools: MetaGoofil
    • http://www.edge-security.com/metagoofil.php
  • Yes, also Google….
  • Your FBI user
  • Your UN user
  • YourScotlandYarduser
  • YourCarabinieriuser
  • YourWhiteHouseuser
  • Yes, we can!
  • Drawbacks
    These tools only extract metadata.
    Not looking for Hidden Info.
    Not looking for lost data.
    Not post-analysis.
  • OnlyMetadata
    http://gnunet.org/libextractor/demo.php3
  • Notverygoodwith XML files (SWX, ODF, OOXML)
  • Google is [almost] GOD
  • FiletypeorExtension?
  • Foca
    Fingerprinting Organizations with Collected Archives.
    Search for documents in Google and Bing
    Automatic file downloading
    Capable of extracting Metadata, hidden info and lost data
    Cluster information
    Analyzes the info to fingerprint the network.
  • Demo: FOCA
  • FOCA Online
    http://www.informatica64.com/FOCA
  • Solutions?
  • First: Cleanallpublicdocuments
  • Clean your documents:MSOffice 2k7
  • Clean your documents: MSOffice 2k3 & XP
    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360
  • OLE Streams
    In MS Office binaryformat files
    Storeinformationaboutthe OS
    Are notcleanedwiththese Tools
    FOCA findsthisinfo
  • Demo: Lookingforinfo in cleaneddocument
  • OpenOfficecleaningoptions
    Onlymetadata
    Notcleaninghiddeninfo
    Notcleaninglost data
  • Cleaning documents
    OOMetaExtractor
    http://www.codeplex.org/oometaextractor
  • Demo: OpenOffice “Security” Options…
  • Are yousaferelyingonyourusers?
  • IIS MetaShield Protector
    http://www.metashieldprotector.com
  • Second: Beg Google todeleteallthecached files
  • Don´t trust your users!!!
  • Don´tcomplainaboutyourjob!!
  • PS: Thisfilealso has metadata
  • Thanks
    Authors
    Chema Alonso
    chema@informatica64.com
    Jose Palazón “Palako”
    palako@lateatral.com
    Enrique Rando
    Enrique.rando@juntadeandalucia.es
    Alejandro Martín
    amartin@informatica64.com
    Francisco Oca
    froca@informatica64.com
    Antonio Guzmán
    antonio.guzman@urjc.es