Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

FOCA: A New Recon Tool

with 3 comments

I recently got a text from a former co-worker saying that I should take a look at FOCA, a tool that I had not heard of before. The text said that this tool had a good deal of forensics potential in that it would search a group of documents and extract the metadata from them. My friend got it half right from what I have experienced so far.

The tool does indeed cull metadata, but, it is from directed web searches with engines like Google and Bing that it does so. This however is a fantastic thing! Even if you cannot just point it at a directory on a hard drive locally, this tool is a great resource for OSINT/RECON online. I decided to give it a try first on some Jihadist sites *post to follow* but then decided to use it against a “known domain” NYSE.com

The tool gives you a simple front end that allows you to search a domain/website and saves the whole process in a proprietary project based format. So, you can go looking for a specific domain and create a whole project to save all the collected data. The only flaw I have seen so far is that this tool does not output your search/project into any kind of use able report format.

The tool goes out to Google, begins searching for numerous filetypes such as .doc or .pdf. Once located, the URL’s show up in the tools window to show you if you do indeed have good hits. After the initial search, you can then download all of the documents for the next step of pulling the metadata. This is where it gets interesting…

Once the docs are downloaded, you can analyze the metadata and then FOCA gives you a series of pull downs that show you all of the user data that the docs offer up… And boy can it provide a plethora of data! From the NYSE searches I was able to not only see the user names, email addresses, software being used to create the documents, but also folders that they were stored in!

Then you can move on to more obscure searches using the metadata. FOCA has a feature to search those same engines that it just pulled the files from to go further and look into the domain structures, server names, users, printers, suffice to say it pretty much will map out a whole infrastructure for you using Google/Bing and the metadata you already have.

Now, depending on the security levels that the systems being searched against have, it is possible to cull quite a bit of intel on your target. So much data that in fact one could make a real network map as well as a full plan of attack on users, networks, file systems, etc.

It’s kinda scary really as you may be able to see from the pictures here….

All in all, this tool is quite the find. I would only like to ask the creator to allow for a local feature to just access metadata for files that have been downloaded already… But that’s for another post to follow on those whacky jihadist sites…

FOCA

CoB

3 Responses

Subscribe to comments with RSS.

  1. Nice. Going on the iPad via citrix. Should be fun. Thanks.

    Josh

    2010/05/20 at 03:37

  2. Hi,

    thanks for the article!!.. And if you want to extract metadata from local files, you just have to drag and drop the directory or file into FOCA or use the right button in panel documents. Doind this you can extract metadata even from picture files.

    Enjoy FOCA!

    Chema Alonso

    2010/05/20 at 06:49

  3. Nice write-up. Interesting tool.

    Spiders, crawlers and content parsers are a hacker’s best friend. Security personnel can use tools like this to find employee email addresses and documents that should not be posted online.

    Mister Reiner

    2010/05/23 at 02:10


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: