By : Bijay Acharya / studentvideotutorial
PDF (Portable Document Format), being used widely in these days. Simply think, you created DOC file from word, then today we save our DOC file as PDF, so that it could remain as it is. Because, by default when you open PDF anywhere in any system, then alignment of that PDF do not updates or do not get modified.
Since we knew that PDF is being widely used, bad guys are around who targets serious vulnerability in adobe acrobat reader (PDF) reader for spreading malware or for compromising systems. So, PDF forensics is must important section to be learned in the field of Digital Forensics.
Let’s Start :
I’m going to give step by step guide on PDF Forensics, using free tool named “PDF Stream Dumper“. At first you need to download PDF Stream Dumper from here and install it. See the image below, I’ve installed in my system.
Now, to start analysis you need to have malicious pdf file. Below, you can see pdf in my system :
Let’s examine PDF, load your pdf in pdf stream dumper. See image below :
To scan pdf file, select “Exploits_Scan” from the top menu, then result will be shown :
Look, PDF Stream Dumper identifies exploit and gives detail on it’s presence in the PDF file:
Exploit CVE-2007-5659 v8.1.1 – collectEmailInfo – found in stream: 31
What if “Shellcode Embedded” in PDF File ?
Shellcode basically used to store the payload of exploit (attached to pdf) & gets executed on victim’s machine. So, in pdf stream dumper, there is “Shellcode_Analysis” section. See image below :
goto : Shellcode_Analysis & click “scSigs”
Note : Some portion of demo is skipped in this tutorial. Like, details on about Executables that this malicious pdf on execution will try to download from network, or might be embedded already in pdf. Each and every detail on windows executables this pdf tries to execute is not mentioned in this tutorial.
But we are sure (from above lab demo), that this pdf is infected.
Pdf used for demo purpose is from : Zeltser