Fingerprinting a Organization Using Metadata of Public Documents

Paljud ettevõtted ja asutused kasutavad äritegevuseks Interneti, et muuta informatsioon enda pakutavate toodete ja teenuste kohta kättesaadavamaks. Tihtipeale need ettevõtted ja asutused jagavad oma veebilehel elektroonilisi dokumente (näiteks tabelid statistiliste andmetega, juhendid, näited ja õpetused, artiklid, blanketid ja muud dokumendid), mida peetakse vajalikuks jagada. Dokumendid, mis on veebilehtedel kõigile internetikasutajatele vabalt kättesaadavad, võivad sisaldada metaandmeid. Metaandmed on andmed, mis kirjeldavad teisi andmeid, ehk metaandmed kirjeldavad dokumendi sisu ja dokumendi üldiseid omadusi. Metaandmed on näiteks kasutajanimi, kes dokumendi koostas, salvestas, printis või redigeeris, kuid lisaks ka ajatemplid millal eelpool mainitud tegevusi tehti. Täiendavalt võib dokumentides olla informatsiooni arvutite ja infosüsteemide kohta, kus seda dokumenti töödeldi. Metaandmete lisamine dokumentidele toimub valdavalt automaatselt ning kui metaandmeid dokumendist eemaldatud pole, võib dokumendi metaandmetesse sattuda tundlikku informatsiooni kasutaja ja asutuse kohta. Metaandmete olemasolu dokumendis on paljude kasutajate jaoks teadmata ning nad ei ole teadlikud, et võivad potentsiaalselt lekitada informatsiooni asutuse või süsteemide kohta, kus dokumenti töödeldi. Seda informatsiooni on võimalik kasutada küberrünnakute läbiviimiseks või asutuse kaardistamiseks. See magistritöö uurib dokumentide metaandmeid, mis on ligipääsetavad Eesti riigiasutuste veebilehtedel ning mis on kõigile Internetikasutajatele vabalt kättesaadavad. Täpsemalt on vaatluse alla võetud kolme riigiasutuse veebilehel olevad dokumentide metaandmed, et välja selgitada, kas nendes peituvat informatsiooni on võimalik kasutada asutuse kaardistamiseks ja võimalike küberrünnakute teostamiseks. Selle täideviimiseks kasutati kahest etapist koosnevat meetodit. Esimene etapp tugines meetodite välja töötamisel, kuidas asutusi kaardistada, kasutades ainult dokumentide metaandmeid. Teine etapp kirjeldas esimeses etapis välja töötatud meetodi rakendamisel saadud tulemuste analüüsist ja järeldustest.Tehtud analüüsi tulemus näitas, et peaaegu kõik dokumendid sisaldavad metaandmeid, mida on võimalik ära kasutada ühel või teisel viisil asutuse kaardistamiseks või küberrünnakute läbiviimiseks. Magistritöös analüüsisime kokku 2643 dokumenti, millest 12-nel olid metaandmed eemaldatud. Ülejäänud dokumendid sisaldasid informatsiooni kilde, mis kirjeldavad keskkonda kus dokumente on töödeldud ja sisaldasid informatsiooni, mida on võimalik kasutada küberrünnakute läbiviimiseks. Lõputöö on kirjutatud inglise keeles ning sisaldab teksti 77 leheküljel, 6 peatükki, 41 joo-nist ja 26 tabelit.Many companies and organizations use Internet for their business activities to make infor-mation about their products and services more available for customers. Often those organi-zations and companies share electronic documents on their websites, such as manuals, whitepapers, guidelines, templates, and other documents which are considered as im-portant to share. Documents which are uploaded on organizations’ websites can contain extra information, such as metadata.Metadata is defined as data which describes other data. Metadata associated with docu-ments can contain information about names of authors, creators information, documents general properties, the name of the server, or path where the document was modi-fied. Metadata is added into documents mainly by automated process when document is created, and if documents’ metadata is not properly removed before sharing, it could con-tain sensitive information. Usually people are not aware about metadata existence in doc-uments and could unwillingly leak information about their organization or about them-selves. This information can be used for fingerprinting basis or conducting cyber attacks.In this thesis paper, electronic documents’ metadata which are shared on Estonian gov-ernmental organizations websites were analyzed. More specifically, three institutions’ pub-lic documents’ metadata were observed in order to identify metadata vulnerabilities that can be used for fingerprinting purposes. To achieve that, a fingerprinting method was de-veloped and utilized against observed websites. This thesis is divided into two different stages, where first stage describes the developed fingerprinting method, and second stage presents the outcomes of metadata analysis with the developed method.The results of the conducted research showed that almost all documents which were ana-lyzed contained information which could be used for fingerprinting purposes. We pro-cessed 2643 documents, where only 12 documents had metadata properly removed. All other documents contained pieces of information that describes environment where docu-ment was created and additionally exposed information that could be used for conducting cyber-attacks

Forensic analysis of office open XML spreadsheets

Thesis submitted in partial fulfillment of the requirements for the Degree of Master of Science in Information Systems Security (MSc.ISS) at Strathmore UniversityDigital Forensics is the science of acquiring, preserving, analysing and presenting digital evidence from computers, digital devices and networks in a manner that is admissible in a court of law to support an investigation. Microsoft Office, LibreOffice, OpenOffice, NeoOffice and Google documents spreadsheets and presentations are widely used to store and circulate data and information especially within organisations. They are often rich in information deeply embedded in them that can be retrieved by examining metadata or deleted material still present in the files.OOXML is a standard developed by Microsoft and registered by ECMA (as ECMA-376), and approved by the ISO and IEC (as ISO/IEC 29500:2008) as an open standard for the development of Office documents, spreadsheets and presentations. Documents, spreadsheets and presentations created using this standard consist of zipped file containers, parts and relationships which upon extraction and analysis reveals forensically interesting information. Existing forensic tools have limitations as far as extracting and analysing OOXML spreadsheet metadata is concerned in that most of them can extract only limited and basic metadata.The objective of this research is to carry out forensic analysis of metadata in OOXML spreadsheets by studying limitations of existing forensic tools in extracting and analysing metadata in OOXML spreadsheets and designing and developing a Proof of Concept (PoC) implementation of a forensic tool that supports automated forensic analysis of OOXML spreadsheets with improved visualization, efficiency and advanced reporting functionality. This research adopts a methodology to review OOXML spreadsheet metadata extraction and analysis capabilities of existing forensic tools using sample spreadsheet datasets, carry out system analysis, design and PoC implementation of a forensic tool. In addition, the research carries out manual, functional, and security tests; quality assurance; and validation of the developed Proof of Concept implementation. The developed tool is able to extract and analyse relevant metadata from OOXML spreadsheets and present results in a forensic report

OOXML File Analysis of the July 22nd Terrorist Manual

Part 3: Extended AbstractsInternational audienceWe examine the terrorist manual circulated on the day of the attacks in Oslo and on Utøya island on July 22nd 2011 to find out if the OOXML structure is consistent with claims by the suspect apprehended for the terrorist act, and to determine if there have been additional authors