Metadata Analysis with FOCA

February 06, 2023

FOCA stands for Fingerprinting Organizations with Collected Archives, this is a Spanish tool, developed by the ElevenPaths team (which now digievolved to Telefónica Tech), this tool was very popular years ago and still is, since it allows, in a very simple way, to analyze the metadata of files that you send or simply obtain the files hosted on a website to later analyze their metadata.

FaaST stands for Foca As A Service at Telefónica Tech but, make no mistake, FaaST operates as a web vulnerability scanner oriented to a persistent pentesting process, that is, it changes the paradigm quite a lot with FOCA which, as we said, is a fingerprinting tool for metadata analysis and, in this article, we are going to see the use of FOCA, not FaaST.

How to install FOCA on Windows

The installation of this tool can be a bit complicated for some users who have only installed programs under the philosophy of “next, next, next, next, next, next, install”, in this case it is not that it is not so, but, we will need to perform some additional steps so that the tool can work properly on the system.

The first thing to do is to go to the official github repo of the tool and, once there, go to the releases.

At this point, we are going to download the first compressed FOCA file of the most recent release.

With the downloaded file, we unzip it and we will obtain the following files, among which we will be able to see the executable of the tool.

If we try to run the binary, we will see this window pop up indicating that FOCA needs a SQL database and to please first make the connection and then run the tool.

How to configure SQL Server for FOCA

Well, this step is the one that makes most people who try to use FOCA, can’t and it really is super easy to solve, first you have to download the Microsoft DBMS, Microsoft SQL Server, for this example, we will download the 2017 version, the Express and install it, selecting an installation type “Basic”.

We accept the license terms.

Select the path and click on install.

Depending on your contracted internet speed, the hardware resources you have in your computer and if your computer likes you, the installation will take less or more time. Once installed, you will see something similar to this.

With this done, you just re-run the FOCA binary and that’s it, magic.

How to analyze Metadata with FOCA

Once the tool is ready to be used, we can do two main actions with it, analyze metadata of files that we send it or, make it analyze the metadata of a target that we indicate, in this last case, FOCA will use dorks of search engines like Google, Bing and DuckDuckGo to find indexed files of the target that we ask it to later analyze its metadata.

In this case, we will see both procedures, we will start with the most classic one, uploading a file and analyzing its metadata, for this, we upload any file.

When we have the file inside the tool, we right click and we see multiple options, among them, extract the metadata, we click and we will see that, in the menu on the left side, we will have the fields in which we will see if there is metadata or not in this file.

When extracting the metadata, we see that in this case it only found two metadata associated with the software with which the file was created/edited, for this example, we manually modified the metadata, but, you should know that, in this field, it could be software such as any of the Adobe suite, Word and so on.

We fill in the requested data and create it.

Once created, we must select the search engines to be searched (redundancy abounds these days) and also select the extensions of the files that we want to take into account to provide us with the results, for this example, we will mark everything.

When we start the search, we will see the following files found.

To these we can extract their metadata, but first we must download them to our device and of course, here for your safety, unless you do not work in cyberintelligence and / or do this in an isolated environment, I do not recommend downloading what you see, because in a PDF there may be malware so remember to prioritize the security of your information.

But in this example, as Messi is a corduroy, we are going to download all the PDFs.

Next, we extract all the metadata.

And we will be able to see the metadata, including, for example, software metadata.

To conclude this article, you should keep in mind something, all this process is completely legal since you are starting from public information that is accessible to everyone, although you know, the most important thing in cybersecurity is to take care of the security of your information as well as that of others, always prioritize doing good and helping others to protect themselves.

qué es Whois

What is Whois and why does it no longer work?

When it comes to researching a target on the internet and doing so from public sources...
que es OSINT

What is OSINT and what is it for?

When users interested in cybersecurity ask themselves about possible ways of researching...