I’d like to share a tool I stumbled across during my routine scanning of industry news: Pinpoint MetaViewer from Pinpoint Laboratories. MetaViewer shows you the additional data that's saved with Microsoft Office 2003 and earlier files—data that you or your users might not even know existed. Pinpoint Laboratories markets this free tool for forensic and legal experts as part of its more comprehensive forensics software solutions and services, but security and IT professionals will also find value in MetaViewer's niche features.
How MetaViewer Works
Loosely stated, metadata is often supporting data that defines or augments the actual, real data. For example, in a Microsoft Office Word 2003 document, besides the data you actually type into the word processor, the application also embeds in your document metadata such as the name of the author (entered when Word was installed), the date the document was created, when it was last saved, how many characters, words, and lines are in the document, and other data about the document. Metadata can be useful because it provides a location to store useful information about the document without affecting the document's look and feel. Forensics and legal professionals can retrieve the metadata of a document as part of the e-discovery process and use it as evidence in a legal case. Many of your users probably don’t even know that the metadata exists, which is where problems could arise, especially regarding sensitive documents where confidentiality is desired.
MetaViewer is a very small program that displays the included OLE metadata in Office 2003 and earlier documents. The program also shows file system metadata including a file's path and the dates when the file was created, last modified, and last accessed. In addition, MetaViewer shows the MD5, Secure Hash Algorithm (SHA)-1, and SHA-256 hash values of the file, the computationally derived fingerprints of a file that are often used to prove a file hasn’t been tampered with. (Essentially, you can compare the hash value of a file before and after an event or time. Since a unique hash is derived based on the exact content of the file, if any part of the file changes, the hash changes too. So if you calculate the hash of a file and recalculate it six months later and the two hashes are the same, you know the file hasn’t been altered.) Even using another program like a hex editor or specialized metadata editing tool will invalidate the hash.
MetaViewer provides a simple interface to view this data and includes features to copy the metadata into another document for record keeping. Figure 1 shows the metadata of this article, which was saved in Word 2003 format. The buttons and checkboxes next to each of the fields let you copy the data into the clipboard. The program also works well with Explorer’s Send To feature, which makes analysis of a file quick.
In Windows Vista, you can create a shortcut to MetaViewer in C:\Users\\[username\]\AppData\Roaming\Microsoft\Windows\SendTo. Then browse files in Explorer and when you want to inspect a file, right-click it, select Send To, and then MetaViewer. MetaViewer will launch and show you the metadata of the targeted file.
MetaViewer lets you just view metadata. To change or strip metadata, you need the document’s parent application and, sometimes, an additional metadata-stripping application. For example, in Word, you can change the author, title, subject, keywords, category, and status of a document; however, even in Word you can’t change document status fields such as page count, word count, or Last Saved By, as you need a metadata editor application to change those.
MetaViewer works with Office 2003 documents and earlier. Because Microsoft Office 2007 doesn't store metadata in the same way as the earlier Office versions, MetaViewer doesn't display any OLE metadata in those files. In fact, many other programs or file formats such as JPEG, MP3, and PDF include metadata in their own proprietary data formats and you need a viewer specifically for that program to view it. If you search the Internet for Microsoft Office metadata you’ll find other programs that can display or scrub metadata from a variety of file formats—some of which are free, some of which are not.
As data privacy becomes more important, many parent applications include options to scrub sensitive data from their own documents. In Office 2003, you can strip personal information such as your name, initials, or company from the metadata. In the application, go to Tools, Options and click the Security tab. Select the check box to remove personal information from file properties on save. In Office 2007, click the Office icon, choose Prepare from the dropdown menu, and select Inspect Document. In the Document Inspector dialog box, select the check boxes for the type of data you want to search for, and click Inspect. The program searches for hidden information in such areas as comments, revisions, versions, annotations, custom xml data, headers, footers, and watermarks, and you can instruct Office to remove that information.
I plan on keeping MetaViewer in my toolbox, and I hope you’ll try it out. As security professionals, it’s essential for us to understand what we're securing before we can appropriately secure it. MetaViewer reveals data hidden in Office 2003 and earlier documents and provides a springboard to using other data discovery tools suitable for your particular environment.