Wednesday, April 6, 2011

Fear the FOCA!

FOCA is a tool for scraping metadata from files. This isn't necessarily anything new, MetaGooFil has been around for a while and is integrated into distributions like BackTrack and Blackbuntu. What makes FOCA unique is the simplicity. With FOCA, you simply enter a domain name and start digging through metadata! You can start fingerprinting an organization in just a few minutes.

Getting Started
Getting started with FOCA is easy! Go to the FOCA Free website and download the installer. After FOCA is installed, you can start it from the Foca Free icon in the Start menu or on the desktop.

When FOCA starts, choose File->New Project. Give your project a name, enter the domain name and any alternative domain names of your target. Then click Create.

This will bring you to the main search for FOCA. To get started, click on "Search All." FOCA immediately starts searching Google, Bing, and Exalead for files that are likely to contain metadata. These include files like Word documents, Excel spreadsheets, and Adobe PDF documents.

Hopefully, FOCA finds something interesting. You can find out what documents were discovered by looking at the list below the "Search All" button. In my redacted example, you can see that a Word document and several PDF files were found.




This is the first piece of interesting information. People name their files all sorts of things and can often inadvertently reveal information through file names. In this case, there were no interesting file names so we move on to the next steps, downloading and extracting metadata. From the menu, choose "Metadata"->"Download all documents."

Downloading the documents may take a few minutes, especially if there are several documents. When all the documents have downloaded, go back to the Metadata menu and choose "Extract all documents metadata."

This will begin populating the Metadata tab. You can expand each file type and start to review the extracted metadata.

While this is interesting, it gets better. Go back to the Metadata menu one more time and choose "Analize(sic) metadata."

Now the magic begins. FOCA starts analyzing the extracted data and gives you a nice report. Switch over to the "Network Data' tab and start reviewing. I'm going to stop giving screenshots at this point because they would be all black with redaction.

Conclusion
FOCA is an awesome tool! If you are a pen tester or responsible for security in your organization you will want to add it to your arsenal. That said, there are a couple of negatives. First, the documentation is sparse and much of the material is only available in Spanish. The informatica64.com website is also in Spanish. If you don't speak Spanish, Babelfish and Google Translate do a good job but it would be nice to see some English translations. Second, there are some FOCA tools that revolve around DNS recon and seem to be unstable at times. FOCA is great, even without these DNS tools and I hope they continue to develop the application. And finally, FOCA is Windows only. A Linux port would be nice but I don't expect to see that.

It's also worth mentioning, there is an online version of FOCA, FOCA Online. FOCA Online takes a single file and analyzes it for metadata.

All together, FOCA is an amazing tool despite a couple of shortcomings. I will definitely be using it in the future.

Thanks to Beth Young for introducing me to FOCA.