Presentation is loading. Please wait.

Presentation is loading. Please wait.

PDF Forensics Sildes by Grisha Kumar and add to by Mr Staffen.

Published byOphelia Bryan Modified over 9 years ago

Similar presentations

Presentation on theme: "PDF Forensics Sildes by Grisha Kumar and add to by Mr Staffen."— Presentation transcript:

1 PDF Forensics Sildes by Grisha Kumar and add to by Mr Staffen

2 PDF (Portable Document Format) The PDF is a document format from Adobe Inc PDF metadata can be stored in a document information dictionary or as a metadata stream, sometimes both. The PDF standard supports embedding many types of files such as images. Embedded files may contain their own metadata.

3 make-pdf-javascript.py is a set of tools written by Didier Stevens The make PDF javascript can be used to create a malicious PDF make-pdf-javascript.py allows one to create a simple PDF document with embedded JavaScript that will execute upon opening of the PDF document. – make-pdf-javascript.py [options] pdf-file make-pdf-embedded.py creates a PDF file with an embedded file. – make-pdf-embedded.py [option] pdf-to-embed pfd-file

4 PDFiD PDFiD written by Didier Stevens to analyze malicious PDF’s PDF files can be embedded with malicious code that can run on the users system. – Eg. Javascript PDFiD is a python module that can analyze and sanitize PDF files. PDF files can be embedded with malicious code that can run on the user’s system, Eg. Javascript. This tool is written by Didier Stevens. We are going to analyze a simple PDF file and a malicious PDF file and also a normal exe file that has been converted to pfd extension. This tool can be very helpful in verifying if a PDF file is malicious or not.

5 PDFiD – String check obj endobj stream endstream xref trailer startxref /Page /Encrypt /ObjStm /JS /JavaScript /AA /OpenAction /JBIG2Decode /RichMedia /Launch /XFA

6 PDF (Portable Document Format) Terms: AA :: an additional actions dictionary defining a fields behavior in response to trigger events AcroForm :: PDF files interactive form dictionary endobj :: specifies the end of a object in a PDF file endstream :: the end marker of a stream object in a PDF file JavaScript :: javascript dictionary containing javascript scripts JBIG2Decode :: decompresses data encoded using the JBIG2 standard JS :: a text string or stream containing JavaScript that will be executed when the action is triggered Launch :: launch an application which usually opens a file obj :: the beginning of a object in a PDF file ObjStm :: object stream OpenAction :: destination that shall be displayed or action that will be performed when PDF is opened RichMedia :: interactive PDF elements startxref :: follows trailer keyword and is offset of the cross-reference stream stream :: the beginning marker of a stream object PDF file trailer :: provides a method to quickly find a cross-reference table and certain special objects xref :: notes a cross-reference section in a PDF file

7 How to create a malicious PDF: The following commands can be used: make-pdf-javascript.py allows one to create a simple PDF document with embedded JavaScript that will execute upon opening of the PDF document. make-pdf-javascript.py [options] pdf-file make-pdf-embedded.py creates a PDF file with an embedded file. make-pdf-embedded.py [option] pdf-to-embed pfd-file

8 PDFiD Analysis The PDFiD tool is run against 2 PDF documents – Pdf_white : A simple PDF document taken off the internet without any malicious content – Pdf_black : The same PDF document is embedded with malicious content

9 PDFiD – Analysis (White)

10 PDFiD – Analysis (Black)

11 PDF Phraser This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. It will not render a PDF document. The commands are run against the pdf_black Commands – pdf-parser.py --stats [pdf] – pdf-parser.py --search javascript [pdf] – pdf-parser.py --search javascript --raw [pdf]

12

13 Tools for Analyzing Adobe PDF Files PDFiD identifies PDFs that contain strings associated with scripts and actions. PDFiD PDF-parser and Origami’s pdfwalker examines the structure of PDF files. PDF-parserOrigami’s Origami’s pdfextract and Jsunpack-n’s pdf.py extract JavaScript from PDF files. Origami’sJsunpack-n’s PDF Stream Dumper combines many PDF analysis tools under a single graphical user interface. PDF Stream Dumper Peepdf and Origami’s pdfsh offer an interactive command-line shell for examining PDF files. PeepdfOrigami’s PDF X-RAY Lite creates an HTML report containing decoded PDF file structure and contents. PDF X-RAY Lite SWF mastah extracts SWF objects from PDF files. SWF mastah Pyew includes commands for examining and decoding structure and content of PDF files. Pyew

Download ppt "PDF Forensics Sildes by Grisha Kumar and add to by Mr Staffen."

Similar presentations

1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 1 Introduction to Perl and CGI.

1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 1 Introduction to Perl and CGI.
Samsung Smart TV is a web-based application running on an application engine installed on digital TVs connected to the Internet.

Samsung Smart TV is a web-based application running on an application engine installed on digital TVs connected to the Internet.
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
Tutorial 12: Enhancing Excel with Visual Basic for Applications

Tutorial 12: Enhancing Excel with Visual Basic for Applications
The Web Warrior Guide to Web Design Technologies

The Web Warrior Guide to Web Design Technologies
Objective 107.02 Understand web-based digital media production methods, software, and hardware. Course Weight : 10%

Objective Understand web-based digital media production methods, software, and hardware. Course Weight : 10%
MSc. Publishing on WWW JavaScript. What is JavaScript? A scripting language devised by Netscape Adds functionality to web pages by: Embedding code into.

MSc. Publishing on WWW JavaScript. What is JavaScript? A scripting language devised by Netscape Adds functionality to web pages by: Embedding code into.
CS 299 – Web Programming and Design Overview of JavaScript and DOM Instructor: Dr. Fang (Daisy) Tang.

CS 299 – Web Programming and Design Overview of JavaScript and DOM Instructor: Dr. Fang (Daisy) Tang.
Russell Taylor Lecturer in Computing & Business Studies.

Russell Taylor Lecturer in Computing & Business Studies.
4.01B Authoring Languages and Web Authoring Software 4.01 Examine webpage development and design.

4.01B Authoring Languages and Web Authoring Software 4.01 Examine webpage development and design.
Tutorial 6 Forms Section A - Working with Forms in JavaScript.

Tutorial 6 Forms Section A - Working with Forms in JavaScript.
The Web Wizard’s Guide to Freeware/Shareware Chapter Five Scripts and Applets.

The Web Wizard’s Guide to Freeware/Shareware Chapter Five Scripts and Applets.
Creating Accessible PDF’s in Adobe Acrobat Professional 7.0.

Creating Accessible PDF’s in Adobe Acrobat Professional 7.0.
Session: 11. © Aptech Ltd. 2HTML5 Audio and Video / Session 11  Describe the need for multimedia in HTML5  List the supported media types in HTML5 

Session: 11. © Aptech Ltd. 2HTML5 Audio and Video / Session 11  Describe the need for multimedia in HTML5  List the supported media types in HTML5 
© 2011 Delmar, Cengage Learning Chapter 11 Adding Media and Interactivity with Flash and Spry.

© 2011 Delmar, Cengage Learning Chapter 11 Adding Media and Interactivity with Flash and Spry.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
JavaScript Teppo Räisänen LIIKE/OAMK 2011. HTML, CSS, JavaScript HTML defines the structure CSS defines the layout JavaScript is used for scripting It.

JavaScript Teppo Räisänen LIIKE/OAMK HTML, CSS, JavaScript HTML defines the structure CSS defines the layout JavaScript is used for scripting It.
CS346 - Javascript 1, 21 Module 1 Introduction to JavaScript CS346.

CS346 - Javascript 1, 21 Module 1 Introduction to JavaScript CS346.
JavaScript, Fifth Edition Chapter 1 Introduction to JavaScript.

JavaScript, Fifth Edition Chapter 1 Introduction to JavaScript.

Similar presentations

Ads by Google