FOCA: How to use this tool to analyze and extract metadata

Did you know that when you share a file online, you could be unwittingly revealing sensitive information? Metadata, those tiny details hidden within documents, images, or PDFs, can reveal much more than you might imagine. Usernames, software versions, folder paths, and even geographic coordinates are just a few examples of what's revealed.

In this article we are going to delve into how FOCA works, a free and effective tool that allows you to analyze and extract metadata from both local and public files on the Internet. And best of all, we'll walk you through it step by step so you fully understand how to use it, what it's for, and how it can help you protect your information.

What is FOCA and what is it used for?

FOCA (Fingerprinting Organizations with Collected Archives) is an open source software created by ElevenPaths, the unit of ciberseguridad from Telefónica. FOCA's main functionality consists of in locating and extracting metadata from office files and imagesThis tool is widely used in both security audits and digital forensics.

FOCA can analyze all types of files: documents Become, Excel, PowerPoint, PDFs, images in different formats and even SVG files. This allows for the extraction of valuable information that could be used in research or penetration testing (pentesting). If you're interested, you can learn more about how metadata works in other contexts at the best way to discover GPS coordinates.

Extracted metadata may include:

• System usernames.
• Directory and folder paths.
• Software with which the document was created.
• Creation, modification and printing dates.
• Geolocation data in images.
• Emails and server names.
• Printer names and associated IPs.

In addition, FOCA allows analysis of files hosted on web domains, which makes it an even more powerful tool. It performs automatic searches using engines such as Google or Bing to locate public files, download them, and analyze them. This capability is crucial for cybersecurity, and you can learn more about this topic at Differences between HDR and DCR.

Why is metadata analysis so important?

Metadata can be an unintentional source of information leakage.Although they're invisible to the naked eye, they can contain confidential data that reveals much more than we want to share. For example, a simple photo uploaded with GPS enabled can show the exact location where it was taken. A Word document could reveal who wrote it, when, and on what computer.

In the world of cybersecurity, this information is gold.. It allows for data collection tasks (fingerprinting), which are the first step in identifying vulnerabilities in a company or individual. Therefore, it is essential to audit files before publishing them using tools like FOCA. There are other methods and tools that complement this analysis, such as those described in the Bluesky app.

One of the most high-profile cases was that of former British Prime Minister Tony Blair, whose team published a Word document on weapons of mass destruction in Iraq. Metadata revealed that the document had been copied and modified from another source, severely damaging its credibility.

FOCA makes it easy and quick to work with local files already on your computer. The process is intuitive and doesn't require advanced technical knowledge.

Step 1: Run FOCA and select “Metadata”This option is the heart of the tool and is where all analysis begins.

Step 2: Add files or folders. You can use the option Add File if you want to analyze a single file or add Folder for an entire folder. You can also drag files directly into the panel.

Step 3: Extract the metadata. Once uploaded, right click on the file and select Extract MetadataThe results will appear organized in the left panel under the “Metadata” section.

Step 4: Analyze resultsWhen you click on any file, you'll see a complete summary in the right panel with all the metadata found, from the author's name to the software used.

Step 5 (optional): Export data. If you need to save this information, you can right-click on “Metadata” and select “Export.” During this process, it is important to consider the security of the storage of data, as mentioned in Data risks in Telegram.

How to use FOCA to analyze web domains

One of the most advanced features of FOCA is that it allows extract metadata from public files hosted on web pagesThis is done by creating a project and letting FOCA do the heavy lifting for you.

Step 1: Create a new project. In the “Project” section, select New ProjectYou'll need to give your project a name and set the primary domain (for example, example.com). You can add alternative domains if you want to expand your search.

Step 2: Define storage folderFOCA allows you to automatically save all downloaded files. You can choose the desired location before starting the search.

Step 3: Choose search engines and file types. Check the search engines (Google, Bing) and select the file extensions you want to search for (PDF, DOCX, PPTX, etc.).

Step 4: Find and download files. Click “Search All” and FOCA will search the web for the files. Once identified, select the ones you want and right-click to open them. Download o Download All.

Step 5: Extract metadataOnce they're downloaded (marked with a green dot), right-click again and select "Extract Metadata." If you want a more detailed analysis, you can use the "Analyze Metadata" option. This can reveal extremely valuable data: logged-in users, computer names, edits made, software used, and even specific details of the network environment.

FOCA as a tool in cybersecurity and pentesting

FOCA is a perfect tool for preliminary work in penetration testing.It's used to map an organization's structure without having to directly access its systems. Using metadata, we can profile how a company works, what systems they use, and what weaknesses might exist.

In addition, FOCA allows:

• Discover subdomains and IP addresses.
• Perform DNS zone transfers.
• Mapping internal networks using PTR scanning.
• Detection of DNS cache and other records on servers.

These types of advanced features make it an essential tool in any cybersecurity analyst's arsenal. It's critical for those working in this field to stay up-to-date on tools like those covered in this article. Effective programs to repair files.

Is FOCA difficult to use?

Not at all. FOCA has a very user-friendly graphical interface., even for beginners in the world of cybersecurity. In its favor, there are numerous tutorials, videos, and specialized books that explain how it works step by step.

And while the software is primarily in English, its menus are very intuitive, so it's not a real barrier. Just understanding a few keywords (Extract, Metadata, Download, Analyze), you can now start taking advantage of it.

Preventive measures against metadata risks

Knowing the risks is half the job, acting is the other half.If you upload documents to the internet or work for a company that regularly publishes content, you should establish protocols to remove metadata before sharing documents. Tools like FOCA allow you to know what information is exposedIn addition, ElevenPaths also offers enterprise solutions such as Metashield Protector, a specialized paid tool for automatically removing or filtering metadata.

In legal, journalistic, or business contexts, properly removing metadata is essential to maintain confidentiality and avoid legal or reputational issues.

If you're serious about cybersecurity, FOCA is a must-have tool.And if you work in environments where sensitive information is handled, the logical step is to incorporate this type of analysis into your regular processes.

FOCA is not only accessible and powerful, but it can make the difference between an organization that protects its information and one that unwittingly exposes it. Learning how to use it will not only allow you to perform more secure audits, but will also open a career path to one of the most in-demand areas of cybersecurity today.