Digital Forensics Tutorial [Part 5] – PDF Forensics

Digital Forensics Course



By : Bijay Acharya / studentvideotutorial 

PDF (Portable Document Format), being used widely in these days. Simply think, you created DOC file from word, then today we save our DOC file as PDF, so that it could remain as it is. Because, by default when you open PDF anywhere in any system, then alignment of that PDF do not updates or do not get modified.

Since we knew that PDF is being widely used, bad guys are around who targets serious vulnerability in adobe acrobat reader (PDF) reader for spreading malware or for compromising systems. So, PDF forensics is must important section to be learned in the field of Digital Forensics.

Let’s Start :

I’m going to give step by step guide on PDF Forensics, using free tool named “PDF Stream Dumper“. At first you need to download PDF Stream Dumper from here and install it. See the image below, I’ve installed in my system.

Now, to start analysis you need to have malicious pdf file. Below, you can see pdf in my system :

Let’s examine PDF, load your pdf in pdf stream dumper. See image below :

To scan pdf file, select “Exploits_Scan” from the top menu, then result will be shown :

Look, PDF Stream Dumper identifies exploit and gives detail on it’s  presence in the PDF file:

Exploit CVE-2007-5659 v8.1.1 – collectEmailInfo – found in stream: 31 

Look below, in tool’s left pane, you can move to different sections. In image shown below, I’ve clicked object 31 in stream which clearly shows us embedded javascript.

Also,

While trying to get details on JavaScript embedded in a PDF, we can click “JavaScript_UI” which then gets us into interactive JavaScript viewer & interpreter (builtin in PDF Stream Dumper). See image below :

What if “Shellcode Embedded” in PDF File ?

Shellcode basically used to store the payload of exploit (attached to pdf) & gets executed on victim’s machine. So, in pdf stream dumper, there is “Shellcode_Analysis” section. See image below :

goto : Shellcode_Analysis & click “scSigs

Note : Some portion of demo is skipped in this tutorial. Like, details on about Executables that this malicious pdf on execution will try to download from network, or might be embedded already in pdf. Each and every detail on windows executables this pdf tries to execute is not mentioned in this tutorial.

But we are sure (from above lab demo), that this pdf is infected.

Thank you.



Pdf used for demo purpose is from : Zeltser

Leave a Reply

Your email address will not be published.