I personally use exiftool to extract EXIF or Exchangeable Image File data from files including Microsoft Office files such as .doc, .xls, and .ppt. The newer versions of Microsoft Office have new file extensions as you know which are .docx, .pptx, and .xlsx. The version of exiftool on Backtrack Linux doesn’t extract EXIF data from the latest MS Office file formats however you can easily download the latest exiftool for use on Backtrack Linux 5. Use the information below to download the latest exiftool on Backtrack, install a necessary Perl library, and then start extracting EXIF data from the newer Microsoft Office file versions.
The current version of exiftool installed on Backtrack 5 R3 is 7.89 (shown in the below example output) however the latest version of exiftool that functions without issue on Backtrack Linux is 9.12. If you attempt to extract EXIF data from DOCS, PPTX, or XLSX files with the current version of exiftool on Backtrack they extracted data will be incorrect such as the FileType displaying as ZIP.
exiftool Version On Backtrack Linux:
- root@bt:~# exiftool -ver
- 7.89
- root@bt:~#
The current version of exiftool on Backtrack is not only available in /pentest/misc/exiftool but also installed to /usr/bin/exiftool. When I install updated versions of exiftool on Backtrack Linux I typically backup the two locations mentioned and then extract the new version to /pentest/misc/exiftool and create a symbolic link of the exiftool Perl script from /usr/local/bin/exiftool to /usr/bin/exiftool so if I access from either location it will be the latest version.
Download Latest Version Of exiftool & Extract: exiftool site
- root@bt:/pentest/misc/exiftool# cd /usr/local/src/
- root@bt:/usr/local/src# ls
- 5100-3.dump pd_v1.1_lnx ruby-1.9.2-p290 ruby-1.9.2-p290.tar.gz snort test123 wkhtmltopdf-0.10.0_rc2-static-i386.tar wkhtmltopdf-i386
- root@bt:/usr/local/src# wget ^C
- root@bt:/usr/local/src# cd ~
- root@bt:~# cd /usr/local/src/
- root@bt:/usr/local/src#
- root@bt:/usr/local/src# wget http://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-9.12.tar.gz
- --2013-01-05 10:43:58-- http://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-9.12.tar.gz
- Resolving www.sno.phy.queensu.ca... 130.15.24.27
- Connecting to www.sno.phy.queensu.ca|130.15.24.27|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 3492394 (3.3M) [application/x-gzip]
- Saving to: `Image-ExifTool-9.12.tar.gz'
- 100%[==============================================================================================================================================================================>] 3,492,394 997K/s in 3.7s
- 2013-01-05 10:44:02 (927 KB/s) - `Image-ExifTool-9.12.tar.gz' saved [3492394/3492394]
- root@bt:/usr/local/src# tar -zxf Image-ExifTool-9.12.tar.gz
- root@bt:/usr/local/src#
In the output above we first change directory into /usr/local/src, which is where I typically like to download files, packages, etc., we then grab the latest exiftool application package, and then we extract the files from the exiftool gzip’d tar file. Now you will have a new folder in /usr/local/src/ called Image-ExifTool-9.12 or similar depending on the version you have downloaded. At this point you can cd into the Image-ExifTool-9.12 directory and begin using the latest version of exiftool immediately. However you want to make sure you don’t get the default version of exiftool installed on Backtrack and this newest version mixed up you may want to backup the current versions of exiftool while moving them from their current locations, mv the Image-ExifTool-9.12 folder from /usr/local/src to /pentest/misc/exiftool, install exiftool according to the instructions in the exiftool README file, and then create a symbolic link from /usr/local/bin/exiftool to /usr/bin/exiftool. I like installing the new version in the default install location and using a symbolic link to link the new version to the location of where the old version was before you moved it when backing it up just so there is no confusion in the future regarding versions. The commands to accomplish backing up the current versions of exiftool and installing the new version are noted below.
Backup exiftool On Backtrack & Install New exiftool Version:
- root@bt:~# mv /pentest/misc/exiftool /pentest/misc/exiftool.orig
- root@bt:~# mv /usr/local/src/Image-ExifTool-9.12 /pentest/misc/exiftool
- root@bt:~# mv /usr/bin/exiftool /usr/bin/exiftool.orig
- root@bt:~# cd /pentest/misc/exiftool
- root@bt:/pentest/misc/exiftool# perl Makefile.PL
- root@bt:/pentest/misc/exiftool# make
- root@bt:/pentest/misc/exiftool# make install
- root@bt:/pentest/misc/exiftool# ln -s /usr/local/bin/exiftool /usr/bin/exiftool
- root@bt:/pentest/misc/exiftool# exiftool -ver
- 9.12
- root@bt:/pentest/misc/exiftool#
After successfully installing the latest exiftool on Backtrack Linux we now have one more task to complete before we can extract EXIF data from docx, pptx, and xlsx files. The Perl Archive::Zip module is required to extract EXIF data from the latest Microsoft Office filetype and can be installed on Backtrack Linux using the below command reference.
Install Perl Archive::Zip Module On Backtrack Linux:
- root@bt:~/microsoft# apt-get install libarchive-zip-perl
- Reading package lists... Done
- Building dependency tree
- Reading state information... Done
- The following NEW packages will be installed:
- libarchive-zip-perl
- 0 upgraded, 1 newly installed, 0 to remove and 5 not upgraded.
- Need to get 95.9kB of archives.
- After this operation, 393kB of additional disk space will be used.
- Get:1 http://all.repository.backtrack-linux.org/ revolution/main libarchive-zip-perl 1.30-2 [95.9kB]
- Fetched 95.9kB in 0s (249kB/s)
- Selecting previously deselected package libarchive-zip-perl.
- (Reading database ... 241724 files and directories currently installed.)
- Unpacking libarchive-zip-perl (from .../libarchive-zip-perl_1.30-2_all.deb) ...
- Processing triggers for man-db ...
- Setting up libarchive-zip-perl (1.30-2) ...
- root@bt:~/microsoft#
Once the Archive::Zip module has been installed you can now use exiftool to extract data from the latest MS Office filetypes. Below we show EXIF data extracted from a XLSX using the old version of exiftool installed on Backtrack by default followed by EXIF data extracted using the new version of exiftool we installed.
EXIF Data Extracted From XLSX Using exiftool Version 7.89 On Backtrack Linux:
- root@bt:~# exiftool Points.xlsx
- ExifTool Version Number : 7.89
- File Name : Points.xlsx
- Directory : .
- File Size : 12 kB
- File Modification Date/Time : 2013:01:05 10:02:54-05:00
- File Type : ZIP
- MIME Type : application/zip
- Zip Version : 20
- Bit Flag : 6
- Compression : Deflated
- Modify Date : 1980:01:01 00:00:00
- CRC : 0x51964269
- Compressed Size : 409
- Uncompressed Size : 809
- File Name Length : 16
- Extra Field Length : 264
- Archived File Name : docProps/app.xml
- root@bt:~#
EXIF Data Extracted From XLSX Using exiftool Version 9.12 On Backtrack Linux:
- root@bt:~# exiftool Points.xlsx
- ExifTool Version Number : 9.12
- File Name : Points.xlsx
- Directory : .
- File Size : 12 kB
- File Modification Date/Time : 2013:01:05 10:02:54-05:00
- File Access Date/Time : 2013:01:05 10:03:08-05:00
- File Inode Change Date/Time : 2013:01:05 10:02:59-05:00
- File Permissions : rw-r--r--
- File Type : XLSX
- MIME Type : application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
- Zip Required Version : 20
- Zip Bit Flag : 0x0006
- Zip Compression : Deflated
- Zip Modify Date : 1980:01:01 00:00:00
- Zip CRC : 0x061f50aa
- Zip Compressed Size : 389
- Zip Uncompressed Size : 1412
- Zip File Name : [Content_Types].xml
- Creator : Matt Vogelpohl
- Last Modified By : Matt Vogelpohl
- Last Printed : 2009:10:14 19:24:45Z
- Create Date : 2009:09:04 13:14:23Z
- Modify Date : 2009:10:14 20:45:20Z
- Application : Microsoft Excel
- Doc Security : None
- Scale Crop : No
- Heading Pairs : Worksheets, 1
- Titles Of Parts : Sheet1
- Company : University of Louisville
- Links Up To Date : No
- Shared Doc : No
- Hyperlinks Changed : No
- App Version : 12.0000
- root@bt:~#
Notice the differences between the two exiftool outputs above including the fact that not only does the older exiftool version not provide as much information but it also provides incorrect information. EXIF data can provide tons of information regarding targets so in future article we will be discussing obtaining these types of documents from specific target domains using other Backtrack Linux tools such as goofile or metagoofil.
