I am trying to find any remnants of a specific PDF on a drive image. The goal is to prove that the file existed on this drive.
I have used FTK, EnCase and foremost to carve out complete files and fragments based upon PDF headers. I have collected some fragments to analyze. Now that I have the fragments how would one search or even view the fragments? I only have a printed copy of the original file to reference. Do the fragments need to be converted to some other format? Is there a way to append a file footer to make it readable in a PDF reader?
That for any help you may be able to provide.
-Mark
Just looked at several PDFs on my machine in HEX and they all end with
n
trailer
<</Size 12>> <———(Size varies between 6 and 20, 6 being most common)
startxref
116 <———(RANDOM NUMBER HERE, 116 seems to be most common #)
%%EOF
After the header, most of the HEX is just code with a lot of formatting commands, nothing really to read.
PDF files can have multiple %%EOF markers as they are incrementally changed with each save. In the case of linearized PDFs, there will be two %%EOF markers even if the file has not been changed.
The number right before the last %%EOF is the byte offset to the start of the Cross Reference table which starts with "xref" tag and ends with the "startxref" tag appearing right before this offset number. If you see 116, then it is probably an unedited linearized PDF, and the %%EOF following the 116 is the end of your file (maybe).
It is really more in-depth than this, but I am running out the door for the weekend. I will check back for replies and more questions.
Chris