Notifications

Clear all

files converted into .pdf artifacts

General (Technical, Procedural, Software, Hardware etc.)

Last Post by Bunnysniper 7 years ago

3 Posts

3 Users

0 Reactions

812 Views

RSS

tibbs66

(@tibbs66)

Eminent Member

Joined: 16 years ago

Posts: 38

Topic starter 28/11/2018 2:45 pm

Hi all,

Are there artifacts on a machine showing documents have been converted into .pdf's? If yes, what and where are those?

Thanks for any help!

Libby

Quote

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

30/11/2018 7:20 pm

There may be some…for example, the PDF metadata may show that the document originated as an MS Word document.

Depending upon how the file is converted to PDF, you may find the launch of that application by the user.

Another approach would be to try a conversion method, and image/analyze the system.

ReplyQuote

Bunnysniper

(@bunnysniper)

Reputable Member

Joined: 13 years ago

Posts: 259

01/12/2018 12:27 am

Hi all,

Are there artifacts on a machine showing documents have been converted into .pdf's? If yes, what and where are those?

Check when the PDF was born (internal metadata versus file stamp versus $MFT) and correlate this date/ time with the typical execution artifacts like prefetch, shimcache and userassist. And check Event ID 7035/7036 if the spooler service was started for the printing process.

ReplyQuote

8 Forums
15.7 K Topics
92.3 K Posts
256 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed