pdf
file can counties txt stream which can be encoded in many ways and counties images , fonts and other
elements (A pdf file comprises sections called “ objects (objects is numbered
can be a page or font or data stream .
PDF forensics can show the
highly confidential information that exist in PDF file or malicious code
In this article we will learn
how to analysis a PFD file through (PDFid) that exist in (BackTrack5) it come
with other 2 PDF forensics tools (peepdf
and pdf-parser)
Pdfid
written in (python) : it helps that you can detected PDF files that counties
malicious code and identify PDF documents that contain (JavaScript or any
execute an action that could be happen when you open the PDF file
And also show
how many objects and stream pages ....etc of the pdf file in other meaning analyses
the file
pdfID will
scan the whole pdf document and give a list about strings and count the occurrences
of each word
The creator of PDF
documents always relied on JavaScript and also embed on flash programs to be
more reliable on Adobe Reader exploits
First of all we will create
a malicious PDF file with Metaslpoit so we can analysis it, we going to
use
msf > use
exploit/windows/fileformat/adobe_utilprintf
For viewing the help
After we create the the Malicious pdf document we will put
it in PDFid
First you will see the PDF Header %PDF-1.5
obj 6
endobj 6
stream 1
endstream 1
xref
1
trailer
1
startxref 1
/Page 1
/Encrypt 0
/ObjStm 0
/JS
1
/JavaScript
1(1)
/AA
0
/OpenAction 0
/AcroForm 0
/JBIG2Decode 0
/RichMedia 0
/Launch 0
/Colors > 2^24 0
Chat Conversation End
Now we will discuss
every step has shown to us
It gives you
the PDF Header
/pages gives a number of pages in the PDF Document,
95% of pdf file that counties a malicious code or execute code have only 1 page
/encrypte show you the pdf document need you
to insert a password to read the file in pdf-parser can show this encryption as a hash
/js and /JavaScript: show the PDF document that contains
JavaScript. almost all malicious pdf documents contain JavaScript (exploit JavaScript
vulnerability) in sometimes many pdf contain JavaScript without malicious code
/AA and
/OpenAction indicate
an automatic action to be performed when the page is viewed many pdf
file counties JavaScript that can be loaded without victim interaction
/JBIG@Decode indicates if the pdf file uses JBIG2
compression. May counties malicious code maybe not need more inquiry
/RichMedia know you if pdf file counting
embedded flash
/lunch it's count lunch actions
Every pdf
documents will contain the first 7 words (obj throug startxref) and to a lesse
extent stream and end stream
All counters
can be wrong if the PDF file saved with (incremental updates)
Incremental updates:
changes to an existing pdf document can be appended to the end of the document
Leaving the original
content intact
PDF file
(without incremental update) contains 4 parts
1-header
2- Objects
3- Cross reference
table
4-trailer
PDF file
(with incremental update) contains
header
objects
(original content)
cross
reference table (original content)
Trailer
(original content)
Objects
(updated content)
Cross
reference table (updated content)
Trailer
(updated content)
Means every object
can have 2 copies on in the original content and the other in the update
content
Conclusions
Digital forensics
is important for detecting macilciouls PDF files images and network as it keep
out from infecting or being a victim and can lead to financial lose or stolen sensitive
data or keep make you keep take an
evidence of digital crime and reach to the attacker and make not being infected
easily .J
By : Yehia Mamdouh
No comments:
Post a Comment