Sunday, July 1, 2012

Security,PDF Forensics (Yehia.Mamdouh)

Security: PDF Forensics (Yehia.Mamdouh):                             PDF Forensics  p df file can counties txt stream which can be encoded in many ways and counties images...

PDF Forensics (Yehia.Mamdouh)


                           PDF Forensics 

pdf file can counties txt stream which can be encoded in many ways and counties images , fonts and other elements (A pdf file comprises sections called “ objects (objects is numbered can be a page or font or data stream .
PDF forensics can show the highly confidential information that exist in PDF file or malicious code
In this article we will learn how to analysis a PFD file through (PDFid) that exist in (BackTrack5) it come with other 2  PDF forensics tools (peepdf and pdf-parser)
Pdfid written in (python) : it helps that you can detected PDF files that counties malicious code and identify PDF documents that contain (JavaScript or any execute an action that could be happen when you open the PDF file
And also show how many objects and stream pages ....etc of the pdf file in other meaning analyses the file
pdfID will scan the whole pdf document and give a list about strings and count the occurrences of each word


The creator of PDF documents always relied on JavaScript and also embed on flash programs to be more reliable on Adobe Reader exploits
First of all we will create a malicious PDF file with Metaslpoit so we can analysis it, we going to use

msf > use exploit/windows/fileformat/adobe_utilprintf


 Now we will learn how to read the file through PDFid , we will open the PDFid in backtrack in the terminal  through this command


For viewing the help



After we create the the Malicious pdf document we will put it in PDFid



First you will see the PDF Header %PDF-1.5
obj                       6
endobj                 6
stream                 1
endstream           1
xref                     1
trailer                  1
startxref              1
/Page                  1
/Encrypt              0
/ObjStm              0
/JS                      1
/JavaScript          1(1)
/AA                     0
/OpenAction        0
/AcroForm           0
/JBIG2Decode     0
/RichMedia           0
/Launch                 0
/Colors > 2^24     0
Chat Conversation End

Now we will discuss every step has shown to us
It gives you the PDF Header
/pages gives a number of pages in the PDF Document, 95% of pdf file that counties a malicious code or execute code have only 1 page

/encrypte show you the pdf document need you to insert a password to read the file in pdf-parser can show this encryption as a hash

 /objstm it tells how many objects stream. And the object stream that can contain other objects can be used to obfuscate objects

/js and /JavaScript: show the PDF document that contains JavaScript. almost all malicious pdf documents contain JavaScript (exploit JavaScript vulnerability) in sometimes many pdf contain JavaScript without malicious code

/AA and /OpenAction indicate an automatic action to be performed when the page is viewed many pdf file counties JavaScript that can be loaded without victim interaction

/JBIG@Decode indicates if the pdf file uses JBIG2 compression. May counties malicious code maybe not need more inquiry

/RichMedia know you if pdf file counting embedded flash

/lunch it's count lunch actions

Every pdf documents will contain the first 7 words (obj throug startxref) and to a lesse extent stream and end stream
All counters can be wrong if the PDF file saved with (incremental updates)
Incremental updates: changes to an existing pdf document can be appended to the end of the document

Leaving the original content intact
PDF file (without incremental update) contains 4 parts
1-header
2- Objects
3- Cross reference table
4-trailer

PDF file (with incremental update) contains
header
objects (original content)
cross reference table (original content)
Trailer (original content)
Objects (updated content)
Cross reference table (updated content)
Trailer (updated content)
Means every object can have 2 copies on in the original content and the other in the update content

Conclusions
Digital forensics is important for detecting macilciouls PDF files images and network as it keep out from infecting or being a victim and can lead to financial lose or stolen sensitive data  or keep make you keep take an evidence of digital crime and reach to the attacker and make not being infected easily .J

By : Yehia Mamdouh