±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35989
New Yesterday: 3 Visitors: 164

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

PDF Manipulated

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Fra93
Newbie
 

PDF Manipulated

Post Posted: Aug 21, 19 07:55

Hi everybody,

I need to understand if some PDF files, send me by costumer, are been manipulated or not.

I seen the medatata in Acrobat Professional and also extract this information with Exiftool.

For two of this three PDF files, the creation date and modification date are different.
Moreover, the creation date is later then the modification date.

This problem with the date it's made by the saving of pdf file with the costumer's password?

There are other check to understand if this PDF files was been manipulated?

Thanks
Francesco  
 
  

jaclaz
Senior Member
 

Re: PDF Manipulated

Post Posted: Aug 22, 19 08:21

Strange "creation" vs. "modified" dates are pretty much normal if the file has been copied across filesystems, see (only as an example, last two threads revolving around similar issues):
www.forensicfocus.com/...c/t=17972/
www.forensicfocus.com/...c/t=17992/

Assuming you are talking of the "file" dates.

The PDF format has also some internal dates, depending on how exactly it has been edited and by which tool you might be able to check those internal dates for modification, see:
stackoverflow.com/ques...s-modified

But there are hundreds or thousands of PDF tools, of which many simply don't respect (or workaround) the specifications, so YMMGV.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

UnallocatedClusters
Senior Member
 

Re: PDF Manipulated

Post Posted: Aug 22, 19 21:26

Hello,

I recommend opening each PDF file using OSForensics' File Viewer tool, and then "Extract All Text".

OSForensics will extract all available embedded text from your PDF files and let you visually review the extracted text for Dates and other important metadata.

For example, if one of your PDF files has an embedded JPG picture file, and the embedded JPG picture file has EXIF metadata, OSForensics will extract the embedded EXIF metadata dates as well as other embedded date values as per below:

PDF Files can contain embedded “XML” packets which are designated by bracketed “xap” values. These “XML” packet metadata dates are not File System dates, but rather date values that are automatically embedded within PDF files by Adobe software recording the dates and times files were added to a given PDF file:

An example of embedded PDF “XML” metadata date streams:
<xap:CreateDate>2014-02-02T19:43:17Z</xap:CreateDate>
<xap:ModifyDate>2014-02-02T19:43:17Z</xap:ModifyDate>
<xap:MetadataDate>2014-02-02T19:43:17Z</xap:MetadataDate

PDF files can contain multiple XML streams and packets, which can be embedded and appended within a given PDF file at different dates and times.

If one adds, embeds, a new JPG file into an existing PDF file, Adobe will add new XML metadata "xap" metadata date values for the newly embedded JPG file in addition to the existing internal embedded "xap" metadata date values.

Typically at the very end of the embedded text within PDF files, one will see the traditional PDF file Creation and Modified dates (note these values do NOT have the "xap" value:

/CreationDate (D:20140203034317+08'00')
/ModDate (D:20140203034317+08'00')

Another embedded XML stream to look at is the “/Producer” value which shows what PDF generation engine version was used to create your PDF files:

For example a “/Producer” value of
<feff0043006f00720065006c002000500044004600200045006e00670069006e0065002000
560065007200730069006f006e002000310037002e0031002e0030002e003500370032> translates to “Corel PDF Engine Version 17”.

One can Google the release dates of the Corel's PDF Engine Version 17 to determine when the PDF file was generated (on or after the PDF engine release date), for example.

NOTE: I have no association with Passmark (maker of OSForensics) but I have found OSFornesics' ability to "extract" embedded text from files (and then make that text searchable) invaluable for this type of forensic analysis.
_________________
__̴ı̴̴̡̡̡ ̡͌l̡̡̡ ̡͌l̡*̡̡ ̴̡ı̴̴̡ ̡̡͡|̲̲̲͡͡͡ ̲▫̲͡ ̲̲̲͡͡π̲̲͡͡ ̲̲͡▫̲̲͡͡ ̲|̡̡̡ ̡ ̴̡ı̴̡̡ ̡͌l̡̡̡̡.__ 
 
  

fissa
Member
 

Re: PDF Manipulated

Post Posted: Aug 24, 19 06:55

Hi Jaclaz and unallocated, i find this topic very interesting since i have a case where i must examine a pdf document as well.
In my case the pdf has been added as an attachment within an email.
How do i extract and save the pdf on my system without changing the modified create and last accessed date? I thought id save the entire .msg including the pdf and add it as single file in Encase. Would this work?
Or shouldnt i be bothered, Just save the pdf on my system and look into it with the suggested tools listed above?
Its a fraude investigation, so no pictures in the document.

Thanks tot the help. Im new to pdf investigation.

With kind regards.  
 
  

Fra93
Newbie
 

Re: PDF Manipulated

Post Posted: Aug 30, 19 07:28

Hello everyone,
thanks for your feedback and sorry for the delay in responding.

In these days I have done further analysis.

To explain you better, the pdf that the client send me are bank statements.

In one of them, the one with different modification date and creation, I can't select the numbers in the pdf (Credits and debits).

I used both OSforensic and Xpdf, and the result is the same: the numbers present are from images.

However, in the metadata I extracted, with both tools, I don't have the embedded PDF "XML" metadata.

Could someone explain to me why?  
 
  

jaclaz
Senior Member
 

Re: PDF Manipulated

Post Posted: Aug 30, 19 14:34

More generally (besides and before any tampering detection) if you have a set of n documents with the same (exactly same) origin, i.e. provided by a same party, through the same means, and automatically generated by a same software and if any document nth - m with m bigger than 0, you already have enough grounds to suspect something "queer" happened.

Still, given the number of programs/tools/OS built-in provisions and what not that are "compatible" with PDF files, the "exactly" is an issue.

There is no doubt that either all documents sent from the bank are exactly the same format or from a given date onwards you have a change to a "new" format that however you can find in later documents (before another change).

But let's say that:
1) periodically user "A" gets in the browser the link to the .pdf and proceeds to "Save as" to a given directory
2) one day user "B" (or user "A" after vacation , or just distracted) instead opens the .pdf file and then proceeds to "print to .pdf"

The file in the latter case would be different, while still not having been tampered with at all.

AFAIK, the XML data (actually XMP to be picky) can be inside the .pdf, not must, i.e. some tools/application do that, others don't, and there are also different versions:
www.pdflib.com/pdf-kno...-overview/
en.wikipedia.org/wiki/...a_Platform

And (the matter is documented by Adobe), when there are two sources of metadata, tools should "choose" which one to "trust":
help.adobe.com/en_US/l...ffe.2.html
and may also update the "wrong" one.

And, once said how the XML fields are optional, the actual .pdf standard has actual provisions for Created and Modified date in the Info dictionary, see the thread on stackoverflow I already linked to, and here:
superuser.com/question...ion-of-pdf
BUT again there are lots of tools around that produce .pdf files which are not fully compliant to standards

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Cults14
Senior Member
 

Re: PDF Manipulated

Post Posted: Sep 08, 19 21:19

Also interesting for me right now for a case I'm working on (internal investigation)

I can see from PDF metadata that a small number of invoices "from a vendor" matches one previous quotation; title, producer, creation date, even visual layout. Invoices from the vendor before and after the suspect ones don't look the same and don't have the same metadata.

There are other elements that point the finger at unauthorised creation of these PDF invoices by one of our users, is it possible to prove that the user actually created them? Or is the best we can do is show a pattern of usual events, evidence and behaviour vs what we think is unusual? i.e. circumstantial?

Cheers  
 

Page 1 of 2
Page 1, 2  Next