FOCA: Target Information Gathering with Metadata

FOCA-200-175Metadata is an interesting and often unrealized problem for anyone who uses office applications, like Microsoft Office, OpenOffice, and Adobe Acrobat. Its impact is often misunderstood both from the publicity and security standpoint. On one hand, metadata provides the necessary data to help organize documents in enterprise document management systems. At the same time, if left in documents sent to others, it provides an unnecessary amount of extra information that could embarrass an organization or be used by an attacker to pull off a more targeted attack.


I’ve been testing FOCA for the past few weeks and find it very useful because you are able to see much more information and gather intelligence about a target you’re trying to exploit so I thought I’d share on how this program works. FOCA Free 3.2 is a tool for performing fingerprinting processes and information gathering in web audit work. The free version performs searches of servers, domains, URLs and documents published, and the discovery of software versions on servers and clients. In other words, it finds documents floating around a webserver and extracts useful metadata that hackers can use for information purposes. FOCA became famous for metadata extraction on public documents, but today it is much more than that.

Did you know every time you create a document such as PowerPoint Presentation, Microsoft Word Document, or PDFs, metadata is left in the document?

What is metadata?

FOCA-02metadata is data about data. It is descriptive information about a particular data set, object, or resource, including how it is formatted, and when and by whom it was collected. metadata can be useful to attackers because it contains useful information about the system where the file was created such as —–>

New in version 3.2:

  • Detection and processing of files “.svn / entries”
  • Directios List Processing
  • Processing. Listing
  • Robots.txt Processing
  • “Juicy files” or files juicy / interesting
  • Support for plugins
  • Improved metadata analysis
  • Search for “multiple choices”
  • The project files are compressed
  • Improved Detection proxies
  • Minor fixes

FOCA is a security audit tool that will examine metadata from domains. It uses search engines to find files on domains, or you can use your own local files.


The first step to use FOCA is to download it.

  1. FOCA can be downloaded at it’s publisher’s website: Informatica 64 (If you are using Chrome, it will ask you to Translate!)
  2. You will need to give an email address at the bottom of the screen. You will receive an email with the download link. You will also receive updates on when FOCA is updated.
    -Virus Scan-
    Here is a Virus Scan for the FOCA file

►Using FOCA:

  1. FOCA is a Windows only tool. When you install FOCA, you may be asked to install .NET Framework or other dependancies.
  2. We will be using FOCA 3.2 for this demo.
  3. The first thing after launching FOCA is to create a New Project.
  4. I personally like to keep all my project files in one place. I will create a new folder for each project.
  5. Once you name your project and decide where you want to store the project files, click on the Create button.
  6. Save your project file.
  7. Hit the Search All button and FOCA will use search engines to scan for documents. Optionally you can use local documents as well.
  8. Right-click on the file and select Download All
  9. Right-click on the file and select Extract metadata.
  10. Right-click and Select Analyze metadata.
  11. In this example you can see from the metadata of 2 users opened this document.
  12. You can also determine from the metadata that Microsoft Office for the Mac and Adobe Photoshop were used to create this document.

In many cases, attackers will be able to see much more information and gather intelligence about a target, the network, usernames, etc… by using this tool.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *