Cybersecurity continues to evolve, and with it, the tools that allow us to effectively protect and audit systems. One of the most well-known in security audit environments is SEAL, a solution oriented to the analysis and extraction of metadata in digital files.
Despite having been on the radar of professionals for over a decade, it continues to surprise with what it's capable of, especially when it comes to extracting sensitive information from seemingly innocuous documents.
But what's so special about FOCA? Beyond being a simple metadata extraction tool, it has become a complete target recognition suite for security audits. Its ability to analyze documents from the web or locally, its integration with other search engines, and its intuitive interface make it an essential solution.
What is FOCA and why is it so widely used?
FOCA is the acronym for Fingerprinting Organizations with Collected Archives (which could be translated as "Fingerprinting Organizations with Collected Files." It is a open source tool designed for extract and analyze metadata present in a wide variety of digital files. It was initially developed by Informática 64 (now ElevenPaths, part of Telefónica) and has been used for over a decade in auditing, forensic analysis, and penetration testing environments.
Its essential function is to collect public files, mainly on web pages, and extract hidden information in them. This information may seem harmless, but it often reveals system users, internal configurations, software versions, and even network paths. Everything it represents a potential entry point for an attacker.
On the other hand, what began as a utility limited to office file metadata has evolved into a versatile tool for el fingerprinting of organizational structures remotely.
Main features of FOCA
What makes FOCA stand out from other similar solutions is its ability to automate complex information gathering tasks. Below are the most important features this tool offers:
- Scanning public documents on the web: Use search engines like Google, Bing, and DuckDuckGo to locate files associated with a specific domain.
- Deep metadata extraction: Detects embedded information in files such as Microsoft Office, Open Office, PDF, PS, EPS, SVG, images, and more.
- Identification of sensitive data: User names, versions of the software used, source operating system, absolute paths, printers used or internal servers.
- Network mapping: Allows you to find subdomains, perform DNS zone transfers, and create an organizational map of the target infrastructure.
- IP and domain discovery: Through techniques such as PTR scanning, reverse IP lookup, DNS dictionary attacks and the use of well-known DNS records.
FOCA not only serves as a metadata extractor, but also allows you to apply OSINT techniques (Open Source Intelligence) through its search capabilities and integration with APIs such as Shodan.
FOCA use cases in cybersecurity
The main use of FOCA is during the initial phases of a security analysis or pentestingThis process is called footprinting, and its objective is to obtain as much information as possible from a target without directly interacting with it.
For example, by analyzing documents posted on a company's website, FOCA can extract:
- The name of the person who created or edited the document.
- Dates it was modified and printed.
- Software used (Word 2016, Adobe Acrobat Pro, etc.).
- Printers, absolute paths, operating systems, etc.
With all this data, you can infer the technological environment of the organization, its equipment, software, and even its internal structure. All of this without having to launch a single package to its servers, which makes FOCA especially effective for pentesters and digital forensic analysts.
How FOCA works step by step
Working with FOCA is relatively simple, even though the tool is in English. There are two ways to work with it: with local files on your own computer or with public files located on the Internet. Both methods are summarized below:
1. Analysis of local files
With the tool open, simply go to the section “Metadata”, right click and select “Add file” (or “Add folder” if you want to analyze an entire folder). You can also drag and drop documents directly.
Once loaded, they are selected, right-click and choose “Extract Metadata”. FOCA will display all found metadata organized by file.
2. Online file analysis
This is the most powerful procedure. You should start by creating a new project, indicating the project's name, web domain to be analyzed, and optionally a destination folder for the downloaded documents.
Once configured, FOCA will search for files using Google, Bing, and/or DuckDuckGo, and also allows you to filter by file type (PDF, DOCX, XLSX, etc.). Once documents are located, they can be downloaded and their metadata extracted, just like local files.
Technical requirements to use FOCA
FOCA is designed to run on Windows (versions 7 and later, 64-bit) and requires some additional components:
- . NET Framework 4.7.1 or higher.
- Visual C++ Redistributable 2010 x64 or later.
- SQL Server 2014 or higher, since FOCA uses a database to store project data.
During installation, if an available instance of SQL Server is not detected, the user will be prompted to enter a connection string manually.
Thanks to the work of Refactoring carried out by the ElevenPaths team, FOCA is now more stable and efficient, even allowing multi-threaded operations with a task queue optimized for large volumes of data.
Over the years, FOCA has established itself as One of the most versatile and powerful tools in the field of metadata analysis and public information collectionIts ability to extract vital data from open sources without direct intervention makes it a key component of any digital forensic audit or analysis.