This document discusses how metadata, hidden information, and lost data can be extracted from files using tools like FOCA for tactical fingerprinting purposes. It provides examples of the types of information that can be found, such as users, paths, devices, and more. The document warns that most people and organizations are unaware of these issues and fail to properly clean files before publishing them. It demonstrates how tools can extract this extra information and identifies weaknesses in common file types and cleaning procedures. The author encourages thorough cleaning of documents and limiting what users publish to avoid unintentionally leaking sensitive information.

1. Chema Alonso, José Palazón “Palako”Tactical Fingerprinting using metadata, hidden info and lost data using FOCA

2. 2003 – a piece of historyIrak war was about to startUS wanted the UK to be an ally. US sent a document “proving” the existence of massive destruction weapons Tony Blair presented the document to the UK parliament.Parliament asked Tony Blair “Has someone modified the document?”He answered: No

3. 2003 – MS Word bytes Tony Blair

4. What kind of data can be found?Metadata:Information stored to give information about the document.For example: Creator, Organization, etc..Hidden information:Information internally stored by programs and not editable.For example: Template paths, Printers, db structure, etc…Lost data:Information which is in documents due to human mistakes or negligence, because it was not intended to be there.For example: Links to internal servers, data hidden by format, etc…

5. MetadataMetadata LifecycleWrongmanagementBadformatconversionUnsecureoptionsWrongmanagementBadformatconversionUnsecureoptionsNew appsorprogramversionsSearchenginesSpidersDatabasesEmbeddedfilesHiddeninfoLost DataEmbeddedfiles

6. Metadatacreatedby Google

7. Lost Data

8. Lost data everywhere

9. Public server

10. So… are people aware of this? The answer is NO.Almost nobody is cleaning documents.Companies publish thousands of documents without cleaning them before with:Metadata.Hidden Info.Lost data.

12. Sample: FBI.govTotal: 4841 files

14. Are theyclean?Total: 1075 files

15. Howmany files is my companypublishing?

16. Sample: Printer info found in odf files returned by Google

17. Google Sets prediction

18. Sample: Info found in a PDF file

19. What files store Metadata, hidden info or lost data?Office documents:Open Office documents.MS Office documents.PDF Documents.XMP.EPS Documents.Graphic documents.EXIFF.XMP.And almost everything….

20. Pictureswith GPS info..EXIFREADERhttp://www.takenet.or.jp/~ryuuji/

21. Demo: Lookingfor EXIF information in ODF file

22. Even Videos withusers…http://video.techrepublic.com.com/2422-14075_11-207247.html

23. And of course, printedtxt

24. What can be found? Users:Creators.Modifiers .Users in paths.C:\Documents and settings\jfoo\myfile/home/johnnyfOperating systems.Printers.Local and remote.Paths.Local and remote.Network info.Shared Printers.Shared Folders.ACLS.Internal Servers.NetBIOS Name.Domain Name.IP Address.Database structures.Table names.Colum names.Devices info.Mobiles.Photo cameras.Private Info.Personal data.History of use.Software versions.

25. How can metadata be extracted?Info is in the file in raw format:Binary.ASCII .Therefore Hex or ASCII editors can be used:HexEdit.Notepad++.BintextSpecial tools can be used:ExifredaerExifToolLibextractor.Metagoofil.……or just open the file!

26. Tools: Libextractor

27. Tools: MetaGoofilhttp://www.edge-security.com/metagoofil.phpYes, also Google….

28. Your FBI user

29. Your UN user

30. YourScotlandYarduser

31. YourCarabinieriuser

32. YourWhiteHouseuser

33. Yes, we can!

34. DrawbacksThese tools only extract metadata.Not looking for Hidden Info.Not looking for lost data.Not post-analysis.

35. OnlyMetadatahttp://gnunet.org/libextractor/demo.php3

36. Notverygoodwith XML files (SWX, ODF, OOXML)

37. Google is [almost] GOD

38. FiletypeorExtension?

39. FocaFingerprinting Organizations with Collected Archives.Search for documents in Google and BingAutomatic file downloadingCapable of extracting Metadata, hidden info and lost dataCluster information Analyzes the info to fingerprint the network.

40. Demo: FOCA

41. FOCA Onlinehttp://www.informatica64.com/FOCA

42. Solutions?

43. First: Cleanallpublicdocuments

44. Clean your documents:MSOffice 2k7

45. Clean your documents: MSOffice 2k3 & XPhttp://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360

46. OLE StreamsIn MS Office binaryformat filesStoreinformationaboutthe OSAre notcleanedwiththese ToolsFOCA findsthisinfo

47. Demo: Lookingforinfo in cleaneddocument

48. OpenOfficecleaningoptionsOnlymetadataNotcleaninghiddeninfoNotcleaninglost data

49. Cleaning documentsOOMetaExtractorhttp://www.codeplex.org/oometaextractor

50. Demo: OpenOffice “Security” Options…

51. Are yousaferelyingonyourusers?

52. IIS MetaShield Protectorhttp://www.metashieldprotector.com

53. Second: Beg Google todeleteallthecached files

54. Don´t trust your users!!!

55. Don´tcomplainaboutyourjob!!

56. PS: Thisfilealso has metadata

57. ThanksAuthorsChema Alonsochema@informatica64.comJose Palazón “Palako”palako@lateatral.comEnrique RandoEnrique.rando@juntadeandalucia.esAlejandro Martínamartin@informatica64.comFrancisco Ocafroca@informatica64.comAntonio Guzmánantonio.guzman@urjc.es