FOCA is a tool that extracts metadata, hidden information, and lost data from documents and files. It can discover details about users, operating systems, printers, paths, servers, and more. FOCA also performs network discovery by analyzing DNS records, web servers, and shared resources. It provides different views of the extracted information for security assessments. The tool is regularly updated with new capabilities like internal network scanning, digital certificate analysis, and a reporting module. FOCA extracts intelligence from file metadata that can reveal sensitive organizational information and vulnerabilities.

1. FOCA Pro Chema Alonso

2. What’s a FOCA?

3. FOCA on Linux?

4. FOCA + Wine

5. Previously on FOCA….

6. FOCA 0.X

7. A documentis Whatyousee… And whatyoudon´t Templatepaths Usersworked in it. Departments. File & Printing Servers VersionHistory Embedded files …

8. What kind of data can be found? Metadata: Information stored to give information about the document. For example: Creator, Organization, etc.. Hidden information: Information internally stored by programs and not editable. For example: Template paths, Printers, db structure, etc… Lost data: Information which is in documents due to human mistakes or negligence, because it was not intended to be there. For example: Links to internal servers, data hidden by format, etc…

9. Metadata Metadata Lifecycle Wrongmanagement Badformatconversion Unsecureoptions Wrongmanagement Badformatconversion Unsecureoptions New apps orprogram versions Searchengines Spiders Databases Embedded files Hiddeninfo Lost Data Embedded files

10. MetadataRisks “Secret” relationships Government & companies Companies & providers Piracy Reputation Social engineering attacks Targeting Malware

11. 2003 – MS Word bytes Tony Blair

12. Targeting Malware

13. Targeting Malware

14. Electing the entry point

15. Why you should be using FS

16. Linux installation guide

17. Social Engineering Attack

18. Anonim0us case

19. Metadatacreatedby Google

20. Lost Data

21. Lost data everywhere

22. Metadata in SearchEngines

23. Pictureswith GPS info.. EXIFREADER http://www.takenet.or.jp/~ryuuji/

24. Even Videos withusers… http://video.techrepublic.com.com/2422-14075_11-207247.html

25. And of course, printedtxt

26. OLE Streams In MS Office binaryformat files Storeinformationaboutthe OS Are notcleanedwiththese Tools FOCA findsthisinfo

28. Open Office documents.

29. MS Office documents.

30. PDF Documents.

31. XMP.

32. EPS Documents.

33. Graphic documents.

34. EXIFF.

35. XMP.

37. Creators.

38. Modifiers .

39. Users in paths.

40. C:ocuments and settingsfooyfile

41. /home/johnnyf

42. Operating systems.

43. Printers.

44. Local and remote.

45. Paths.

46. Local and remote.

47. Network info.

48. Shared Printers.

49. Shared Folders.

50. ACLS.

51. Internal Servers.

52. NetBIOS Name.

53. Domain Name.

54. IP Address.

55. Database structures.

56. Table names.

57. Colum names.

58. Devices info.

59. Mobiles.

60. Photo cameras.

61. Private Info.

62. Personal data.

63. History of use.

65. Sample: FBI.gov Total: 4841 files

66. Are theycleaned?

68. Search for documents in Google and Bing

69. Automatic file downloading

70. Capable of extracting Metadata, hidden info and lost data

71. Cluster information

73. AlternativeDomains

74. AlternativeDomains

75. Sample: Printer info found in odf files returned by Google

76. Types of Engineers

77. DNS Prediction

78. Google Sets Prediction

79. IP Scanning

80. Manually-added Data

82. Demo: Mda.mil

84. Recursivealgorithm

85. InformationGathering

86. SwRecognition

87. DNS Cache Snooping

89. Hugedomains case

90. DNS Search Panel

91. Búsqueda de URLS en buscadores

92. DNS Search & Zone Transfer IP resolution Well-Known records NS TXT (SPF) MX SOA (Primary.master) Zone Transfer Diccionarysearch

93. Bing IP

94. PTR Scannig

95. Network DiscoveryAlgorithm http://apple1.sub.domain.com/~chema/dir/fil.doc http -> Web server GET Banner HTTP domain.com is a domain Search NS, MX, SPF records for domain.com sub.domain.com is a subdomain Search NS, MX, SPF records for sub.domain.com Try allthe non verified servers onall new domains server01.domain.com server01.sub.domain.com Apple1.sub.domain.com is a hostname Try DNS Prediction (apple1) onalldomains Try Google Sets(apple1) onalldomains

96. Network DiscoveryAlgorithm http://apple1.sub.domain.com/~chema/dir/fil.doc 11) Resolve IP Address 12) GetCertificate in https://IP 13) Searchfordomainnames in it 14) Get HTTP Banner of http://IP 15) Use Bing Ip:IPtofindalldomainssharingit 16) Repeatforevery new domain 17) Connecttotheinternal NS (1 orall) 18) Perform a PTR Scansearchingforinternal servers 19) Forevery new IP discovered try Bing IP recursively 20) ~chema-> chemaisprobably a user

97. Network DiscoveryAlgorithm http://apple1.sub.domain.com/~chema/dir/fil.doc 21) / , /~chema/ and /~chema/dir/ are paths 22) Try directorylisting in allthepaths 23) Searchfor PUT, DELETE, TRACE methods in everypath 24) Fingerprint software from 404 error messages 25) Fingerprint software fromapplication error messages 26) Try commonnamesonalldomains (dictionary) 27) Try Zone Transfer onall NS 28) Searchforany URL indexedby web enginesrelatedtothehostname 29) Downloadthe file 30) Extractthemetadata, hiddeninfo and lost data 31) Sortallthisinformationand presentitnicely 32) Forevery new IP/URL startoveragain

99. PC/Servers view

100. How Foca found a data

101. Role Oriented View

102. Vulnerabilites View

103. DNS Version.bind

104. Primary Master

105. Demo: fbi.gov whitehouse.gov

106. CustomizableSearch

107. FOCA + Spidering

108. FOCA + Spidering

109. Demo : Foca + Spidering

110. Internal PTR Scanningusing FOCA

111. Internal PTR Scanning

112. FingerprintingOptions 404 NotFoundmessages Domainnames and software Aspx Error Messages HTTP Banner Hostname IP Addres SMTP Banner Digital Certificates Shodan

113. Digital Certificates

114. FOCA 2.5 & Shodan

115. FOCA 2.5 URL Analysis

116. .listing

117. Unsecure Http Methods

118. Search & Upload

119. Searchingfor Server-Side Technologies

120. Proxy

121. Fuzzingoptions

122. Backupdiscovery

123. PlayingwithURLs

124. DNS Cache Snooping

125. DNS Cache Snooping

126. DNS Cache Snooping Internal Software Windows Update Gtalk Evilgrade Detecting vulnerable software toEvilgradeattacks AV evassion Detectinginternal AV systems Malware drivenby URL Hacking a web siteussuallyvisitedbyinternalusers

127. DNS Cache detection

128. Demo: DNS Cache Snooping

129. Log filter

130. FOCA Reporting Module

131. FOCA Reporting Module

132. Demo: Log & Reporting

133. FearThe FOCA

134. FOCA Online http://www.informatica64.com/FOCA

136. IIS MetaShield Protector http://www.metashieldprotector.com

137. Buy a FOCA T-Shirt And be «Sexy» }:))

139. chema@informatica64.com

140. http://www.informatica64.com

141. http://www.elladodelmal.com

142. http://twitter.com/chemaalonso

143. http://www.forefront-es.com

144. http://www.seguridadapple.com

145. http://www.windowstecnico.com

146. http://www.puntocompartido.com

147. Workingon FOCA:

148. Chema Alonso

149. Alejandro Martín

150. Francisco Oca

151. Manuel Fernández «The Sur»

152. Daniel Romero

153. Enrique Rando

154. Pedro Laguna

155. SpecialThanksto: John Matherly [Shodan]