Digital Forensics 0x4a : PDF Forensics

PDF (Portable Document Format), being used widely in these days. Simply think, you created DOC file from word, then today we save our DOC file as PDF, so that it could remain as it is. Because, by default when you open PDF anywhere in any system, then alignment of that PDF do not updates or do not get modified. 

Since we knew that PDF is being widely used, bad guys are around who targets serious vulnerability in adobe acrobat reader (PDF) reader for spreading malware or for compromising systems. So, PDF forensics is must important section to be learned in the field of Digital Forensics.

Let's begin. We've 2 pdf files here, analyse.pdf and bhudki_com. You can see image below.

Quickly check properties of those files. Image below shows properties of analyse.pdf

Now, let's analyse these 2 pdf files. 

For basic purpose, I am using PDF Stream Dumper Tool. See image below.

We need to load our pdf to this tool. From bottom, click load and browse the pdf file. Initially, we will load bhudki_com pdf file. See image below.

Once pdf get loaded, then go to Menu (top) and click Exploits_Scan. Then you will get this screen.

Check the Notepad message clearly. Notice it. Nothing in there right ? 

Now let's load another pdf. At first click abort in right bottom of screen. Then load another pdf.

You can clearly see that analyse.pdf is loaded. 

Now when you click Exploits_Scan, then you will see following result. And can be guessed that something is wrong with this PDF.

Ok, this was basics of PDF Forensics.

Thank You.