PowerPoint — What data is beneath the surface?

Wherever you go now whether that be university, your workplace, a conference, it is very common to see presentations that were created using Microsoft PowerPoint.

Although PowerPoint documents do store a lot of metadata, such as the author’s name and the name of the person who last modified the file, I wanted to see if any additional data was exposed in these presentations without the creator’s knowledge.

Therefore, my focus in this blog is on screenshot images contained in Microsoft PowerPoint presentations.

The purpose of this blog is to demonstrate how to locate these images, determine if they are cropped, and how to reveal some redacted information. The “techniques” described in this blog can also apply to other applications like Microsoft Word.

Firstly, how do we find PowerPoint documents online? One of the main ways is by using Google dorks. Below are some examples:

site:target.com filetype:pptx

inurl:gov filetype:pptx

“keyword” (filetype:pptx | filetype:ppt)

I wanted to find presentations that would have screenshots of a company’s system so that there was more of a chance that they would be cropped. Other presentations often have pictures taken from Google and therefore either do not have cropped parts, or if they do, the data won’t be as relevant. Therefore, I did the following Google dork:

filetype:pptx “user guide”

I tried adding slight adjustments too like “intranet” or “inurl:gov” after the query above to see what results appeared. This query gave me results for guides on company systems and websites and lots of them contained screenshots so that people could easily follow along with the guide.

Once I had found some PowerPoint presentations, I could then start looking for any data that was being hidden beneath the surface.

Example 1

The first one I found was from a university. The following slide shows an email from when they are hiring new employees.

This is a more clear view of the email. However, they redact certain parts of it such as the temporary user ID and password. Seeing this information could reveal how the company sets up their accounts and it could be used as a way into the company for hackers.

In this example, we have the full presentation that we can also edit. It turns out that a lot of people just place a shape over the content they want to redact and then they leave it as it is. Therefore, when presenting, no one will see the content under the shape. However, because we have full access to it, we can just remove the shapes and see the content ourselves. Here I clicked on the image and clicked “Crop” which shows me the original image without the boxes on top of it. It isn’t great quality here and I re-redacted the main parts too but you can see that the red boxes are gone.

Example 2

The second example is from the same presentation as above. One slide includes an example email that an employee would receive after being hired. However, upon inspecting this more closely, the email text was in a PowerPoint text box and there was a white box covering the original email.

By clicking to crop the image, it reveals the original full screenshot. This now contained the real email which did give away a real name and their employee ID. Also, it now shows other emails that this person has received on the left side of the page. Other emails are displayed on the page and you can see what bookmarks they have saved on their browser.

Example 3

The third example is a presentation that is walking through how to use a platform. This slide in particular is showing how a user can add fields and it shows a simple screenshot of a form with a drop down.

However, by using the crop technique, it reveals that the creator was using two computer monitors and when they pressed the print screen button, it took a screenshot of both monitors which they then cropped down to the relevant part.

Looking more closely at the full screenshots from each monitor, they do each reveal new information. For example, the left monitor revealed a direct URL to the page, this can sometimes reveal internal URLs that weren’t meant to be public. It also reveals bookmarks that they have saved on their browser. The right monitor revealed a name in the top right corner of who was working on the presentation. This name was different to the ones mentioned in the main final document metadata too.

Overall, this article has shown the kind of data that can be hidden behind a PowerPoint presentation which can also apply to other Office applications such as Word, without the creators even knowing. This is useful to keep in mind both from a privacy standpoint but also for when conducting investigations.