Examining PDF Files
 
Notifications
Clear all

Examining PDF Files

6 Posts
4 Users
0 Likes
263 Views
(@digitalkiwi)
Posts: 3
New Member
Topic starter
 

Hello All,

I have been asked to examine a number PDF files that have been given to my client as part of a legal discovery.

The files are heavily redacted, but my client has observed that there are some inconsistencies in the page numbering and page headers and footers that leads him to question the authenticity of the documents.

I am able to gather the files' metadata using the exiftool, but other than examining the content of the files and noting the inconsistencies, is there anything else I could do? Are there any other tools that might reveal something about these files?

Thanks and regards.

 
Posted : 23/12/2015 12:50 am
keydet89
(@keydet89)
Posts: 3578
Famed Member
 

Without understanding a bit more about what it is you're trying to determine, it's difficult to really make any recommendations.

For example, are you interested solely in the actual contents of the files themselves, or are you concerned that they contain malicious content?

For pointers to looking for malicious content, I'd suggest https://zeltser.com/analyzing-malicious-documents/

 
Posted : 23/12/2015 1:39 am
(@digitalkiwi)
Posts: 3
New Member
Topic starter
 

Without understanding a bit more about what it is you're trying to determine, it's difficult to really make any recommendations.

For example, are you interested solely in the actual contents of the files themselves, or are you concerned that they contain malicious content?

For pointers to looking for malicious content, I'd suggest https://zeltser.com/analyzing-malicious-documents/

Thanks for the quick response. I realize that my question is pretty open, but this is because I do not have any very specific suspicions. I do not think the files are malicious, but I do think that they may not be what they purport to be. I am looking for any way of gathering information about the files that might help me to confirm or deny this.

As I said, I already have the metadata provided by exiftool but wonder if there is any more that I might be able to do?

 
Posted : 23/12/2015 5:01 am
keydet89
(@keydet89)
Posts: 3578
Famed Member
 

I do not think the files are malicious, but I do think that they may not be what they purport to be. I am looking for any way of gathering information about the files that might help me to confirm or deny this.

Maybe you can look at some of the analysis tools listed and try them out…list objects in the files, that sort of thing.

Good luck.

 
Posted : 23/12/2015 5:22 am
Passmark
(@passmark)
Posts: 375
Reputable Member
 

In various PDF viewers you can also view the document properties (File –> Properties in Adobe Reader). This will for the most part be a duplicate of the Exif information, but there might be something extra, like the security settings.

 
Posted : 23/12/2015 5:26 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Late response, but you may want to look at Didier Stevens PDF utilities

Link pdf-tools/

 
Posted : 03/01/2016 8:44 pm
Share:
Share to...