Today we are talking about something most people don\u2019t know or think much about, metadata<\/em> \u2014 information about a file rather than information shown in a file. Metadata can turn a normal digital document into compromising intel.<\/p>\n Let\u2019s start our deep dive with a bit of theory. American law defines three categories of metadata:<\/p>\n Here\u2019s a classic example of the troubles compromised metadata may bring: the UK government\u2019s 2003 report on Iraq\u2019s supposed weapons of mass destruction. The .doc version of the report included metadata on the authors (or, precisely, people who introduced the latest 10 edits). This information raised some flags about the quality, authenticity, and credibility of the report.<\/p>\n According to the BBC follow-up story<\/a>, as a result of noticing the original file\u2019s metadata, the government chose to use the .pdf version of the report instead, because it contained less metadata.<\/p>\n Another curious metadata-powered eye-opener involved a client of Venable, an American law firm, back in 2015<\/a>. Venable was contacted by a company whose vice president had recently resigned. Shortly after his exit, the firm lost a contract with a government organization to a competitor \u2014 a competitor working with the former VP.<\/p>\n The company accused its former VP of misuse of trade secrets, saying that\u2019s how he won the government contract. In their defense, the defendant and his new firm provided as evidence a similar commercial offer prepared for a foreign government. They claimed it was created for another client before<\/em> the contract pitch in the United States, and thus it did not violate the former VP\u2019s non-compete agreement with the plaintiff.<\/p>\n But the defendants failed to consider that metadata in their evidence contained a time stamp abnormality. System metadata showed that the file was last saved before it was last printed, which, as an expert affirmed, could not happen. The time stamp of the last print belongs to app metadata, and it is saved in the document only<\/em> when the file itself is saved. If a document is printed and is not saved afterwards, the new date of printing would not be saved to the metadata.<\/p>\n Another proof of document forgery was its date of creation on the corporate server. The document was created after the lawsuit was brought to court. Moreover, defendants were accused of tampering with the time stamp of the last edit in the .olm files (that extension is used for Microsoft Outlook for Mac files).<\/p>\n The metadata evidence was enough for the court to rule in favor of the plaintiffs, eventually awarding them $20 million and slapping the defendants with millions more in sanctions.<\/p>\n Microsoft Office files offer a rich tool set for collecting private data. For example, footnotes to text can include additional information not intended for public use. The built-in revision tracking in Word could also be of use for a spy. If you choose the \u201cShow final\u201d option (or \u201cNo markup,\u201d or similar, depending on your version of Word), tracked changes will disappear from the screen, yet they will remain in the files, waiting for some observant reader.<\/p>\n Also, there are notes to slides in Power Point presentations, hidden columns in Excel sheets, and more.<\/p>\n Ultimately, attempts to hide data without knowing how to do it properly tends not to work. A great example here is a court document<\/a> published on CBSLocal, referring to the case of United States vs. Rod Blagojevic, ex-governor of Illinois. This is a motion for the court to issue a trial subpoena to Barack Obama, dated 2010.<\/p>\n Some parts of text are hidden by black boxes. However, if you copy and paste a text block into any text editor, you can read the text in its entirety.<\/p>\n Black boxes in a PDF may be useful to hide information in print, but this measure can be easily bypassed in a digital format<\/p><\/div>\n Data from external files embedded in a document is a completely different story.<\/p>\n To show a real example, we searched through some documents on .gov websites, and picked the US Department of Education\u2019s tax report for the 2010 financial year to examine.<\/p>\n We downloaded the file and disabled read-only protection (which did not require a password). There is a seemingly normal graph on page 41. We selected \u201cChange data\u201d in the graph\u2019s context menu, eventually opening an embedded Microsoft Excel source file containing all source data.<\/p>\n Here is a report in a Word file, containing an Excel with an abundance of source data for this and some other<\/em> graphs<\/p><\/div>\n It should go without saying such embedded files might contain anything, including loads of private information; whoever published the document must have assumed that data was inaccessible.<\/p>\n The process of collecting metadata from a document belonging to an organization of interest may be automated with help of software such as ElevenPaths\u2019 FOCA (Fingerprinting Organizations with Collected Archives).<\/p>\n FOCA can find and download required document formats (for example, .docx and .pdf), analyze their metadata, and find out many things about the organization, such as the server-side software they use, usernames, and more.<\/p>\n We must insert a serious warning, here: Analyzing websites with such tools, even for the sake of research, might be taken very seriously by websites owners or even qualify as cybercrime.<\/p>\n Here are a couple of metadata peculiarities not all IT experts are familiar with. Take the NTFS file system used by Windows.<\/p>\n Fact 1<\/strong>. If you delete a file from a folder and immediately save a new file with the same name in the same folder, the date of creation will be the same as that of the file you deleted.<\/p>\n Fact 2<\/strong>. In addition to other metadata, NTFS keeps the date of the last access to the file. However, if you open the file and then check out the date stamp of last access in the file properties, the date remains the same.<\/p>\n You might think those oddities are just bugs, but they are in essence documented features. In the first case, we are talking about tunneling<\/a>, which is required to enable backward software compatibility. By default, this effect lasts for 15 seconds, during which the new file gets the creation time stamp associated with the previous file (you can change the interval in system settings or disable tunneling entirely in the registry). Actually, the default interval was sufficient for me to stumble across tunneling twice in a week just doing my job.<\/p>\n The second case is also documented: Starting with Windows 7, for the sake of performance Microsoft disabled automated time-stamping for the time of last access. You can enable this feature in the registry<\/a>. However, once it\u2019s enabled, you cannot reverse the process to correct the problem; the file system does not keep the correct date stamps (as proven by a low-level disk editor).<\/p>\n We hope computer forensics experts are aware of these peculiarities.<\/p>\n By the way, file metadata can be altered using default OS \/ native apps and special software. That means you can\u2019t rely on metadata as evidence in a court of law unless it\u2019s accompanied by things like mailing service and server logs.<\/p>\nDocument metadata<\/h2>\n
\n
A $20 million (doctored) file<\/h3>\n
Hidden files<\/h3>\n
![\"Black](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/03\/06020846\/office-docs-metadata-1.png\")
<\/a>Files inside of files<\/h3>\n
![\"Embedded](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/03\/06020845\/office-docs-metadata-2.png\")
<\/a>Harvesting metadata<\/h3>\n
Documented oddities<\/h3>\n
Metadata: Security<\/h2>\n