Metadata - What is Unseen


Published on

Slides from the ECU Security Research Institute seminar Monday 29 April 2013, presented by Professor Craig Valli.

Our increasing interconnection networks and production of data of various types such as pictures and videos (artefacts), are producing an increasingly unseen amount of data.
Metadata is data about an artefact that may, for instance, give away the location where a
photo was taken, the device that created the artefact, or what operating systems and applications were used in the construction of the artefact.

Furthermore, the device that transmitted the artefact may be reliably fingerprinted and identified by the applications and operating systems that it runs. Most organisations and individuals are unaware of the attendant risk that the production of artefacts with embedded metadata represents to privacy and security.

This presentation will explore those risks and also demonstrate some of the capabilities of the tools publicly available to extract intelligence from metadata.

Speaker Profile
Professor Craig Valli is the Director of the ECU Security Research Institute (ECUSRI) at Edith Cowan University. Professor Valli has over 25 years experience in the IT industry. He conducts research and consults to industry and government on network security and digital forensics issues. His main consultancy focus is on securing networks and critical infrastructures, detection of network borne threats and forensic analysis of cyber security incidents.

The ECU Security Research Institute (ECUSRI) is a research unit with Edith Cowan University.

Published in: Education
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Metadata - What is Unseen

  1. 1. Security Research InstituteEdith Cowan UniversityMetadata : What is UnseenProfessor Craig ValliSecurity Research InstituteSIG 29th April, 2013
  2. 2. Security Research InstituteEdith Cowan UniversityWhat is it in this context• Data in various forms that are embedded in adigital artefact or stream, typically unseen by theuser. Including but not limited to– Your email address– Watermarks, logos etc– Server Drive mappings– Notes and edits (since thought to be deleted)– Your geolocation at time of save or capture– Cookies, web application specific data
  3. 3. Security Research InstituteEdith Cowan UniversityWhy not remove?• What do you think feeds search engines?• It can be very useful for internal systems tosearch on attributes of documents• Can be used to prove provenance of a document• Can be used to provide an avenue for targetteddeception
  4. 4. Security Research InstituteEdith Cowan UniversityWhy remove?• It makes good sense from a securityperspective, minimal information leakage isoptimal• Because in some countries you are leavingyourself open to litigation and or breaches oflaw (US HIPPA, Privacy Acts, Data Protection)distributing documents with this data in them
  5. 5. Security Research InstituteEdith Cowan UniversityTCP/IP Stacks, Operating Systems• NMAP, p0f are network mappers that work bylooking at the flags in your TCP/IP transmissions.They can reliably fingerprint– Your device– Your operating system– Your patch level of operating system
  6. 6. Security Research InstituteEdith Cowan UniversityBrowsers• The addition of various plug-ins to a browser, incombination with IP numbers used, platformidentifiers in the browser and the ubiquitouscookie can make browsers easy to uniquelyidentify– Mozilla/5.0 (Linux; U; Android 2.2; en-gb; GT-P1000 Build/FROYO) AppleWebKit/533.1(KHTML, like Gecko) Version/4.0 Mobile Safari/533.1– Mozilla/5.0 (Linux; U; Android 2.2; en-ca; SGH-T959D Build/FROYO) AppleWebKit/533.1(KHTML, like Gecko) Version/4.0 Mobile Safari/533.1– Mozilla/5.0 (Linux; U; Android 2.2; en-gb; GT-P1000 Build/FROYO) AppleWebKit/533.1(KHTML, like Gecko) Version/4.0 Mobile Safari/533.1– Mozilla/5.0 (Linux; U; Android 2.0.1; en-us; Droid Build/ESD56) AppleWebKit/530.17(KHTML, like Gecko) Version/4.0 Mobile Safari/530.17
  7. 7. Security Research InstituteEdith Cowan UniversityWord Document Metadata• Comments, revision marks from trackedchanges, versions, and ink annotations• Headers, footers, and watermarks• Document server properties• Email addresses• Usernames (ADS etc)• Hidden text (formatted as)
  8. 8. Security Research InstituteEdith Cowan UniversityPDF• Same same as before with Word plus...– Encryption and user access settings– Signature tags – location, signing authority, type ofsigning etc– Lets not forget executables– Can keep a full history of metadata in the file i.e justchanging does not erase...
  9. 9. Security Research InstituteEdith Cowan UniversityGeotagging• The location data is typicallystored within the EXIF records forthe image using the EXIF GlobalPositioning System sub-IFD thatuses the TIFF Private Tag 0x882• Or the application generates thedata using a combination ofsources to locate e.g GPS andWireless access points
  10. 10. Security Research InstituteEdith Cowan UniversityEXIF• The Exchangeable Image File format (EXIF) is apublished industry specification for the image fileformat used by digital cameras• There are over 200 plus identifiers/tags, geo-location, device, serial number etc
  11. 11. Security Research InstituteEdith Cowan UniversityEXIF
  12. 12. Security Research InstituteEdith Cowan UniversitySocial Media...• Most of these services are “free” in exchange foryour data and metadata touch points. Just as inreal world no free lunch in cyberspace.• Many of these services give full feeds of theirdata streams to developers (anyone)• Some of them rely on you to have turned onGPS/geolocation to access the service i.e no geono service or you are just “checking in”
  13. 13. Security Research InstituteEdith Cowan UniversityTwitter – 140 characters not!•Links to previous tweets•Authors username•Authors screename•Authors biography•Authors location•Timezone•PlaceID, Printable Name, URL,Type, Bounding Box, Country ofplace tweet was made•Application that sent the tweet
  14. 14. Security Research InstituteEdith Cowan UniversityGoogle...
  15. 15. Security Research InstituteEdith Cowan UniversityThird Party Service Providers• Various serviceproviders are nowdeveloping servicesthat fingerprint yourdevices and you!• All perfectly legal, drawn frommetadata and othersources.
  16. 16. Security Research InstituteEdith Cowan UniversitySome analysis tools• Metapicz – Google App - is one example of anonline based tools that allow extraction data• Geosetter – tool to edit/view Geo and otherattributes• FOCA – harvester and analyser for metadatafrom websites• GeoIntelligence – home grown...
  17. 17. Security Research InstituteEdith Cowan UniversitySolutions• Make sure you turn off geo-location on yourdevices...unless you want to be tracked• Strip out metadata using a cleanser beforesending documents in email or storing onwebsites, unless you’re setting honeyfiles..• Use your browsers in anonymous modes on allyour devices or set different browser-id strings• Be careful what extensions in use on browsers• Use some of the VM based anonymisers
  18. 18. Security Research InstituteEdith Cowan UniversitySoftware and Resources• Office 2010+ - Document Inspector• OpenOffice –• Removing Sensitive Data for PDF
  19. 19. Security Research InstituteEdith Cowan UniversityReferences and Resources• Official 2.3 EXIF• EXIF Tag list• Hidden Data and Metadata in Adobe PDF Files• Official PDF specification -