Saturday, January 12, 2013

Backtrack Forensics: pdf-parser

Menu: Forensics -> PDF Forensics Tools
Directory: /pentest/forensics/pdf-parser

This tool (also a python script) was made by the same author as the pdfid. You can have a basic overview with that and continue to a more detailed analysis with this one. This one will actually parse the PDF file, and identify the elements inside it. It will not actually render the PDF file.

Some commands:

./ -a msf.pdf - display stats about the file
./ msf.pdf - print the parsed output
./ -s Java msf.pdf - search for the string Java in the PDF and will display the full object where it was found
./ -o 5 msf.pdf - display only object with ID 5
./ -o 5 -f msf.pdf - display only object with ID 5, and apply filter (only FlateDecode is supported)
./ -r 5 msf.pdf - display objects that reference object with ID 5.

Display stats:

Display object 5:

Apply filter to object 5, which reveals the JavaScript, we can see that it's obfuscated:

Check which object reference object with ID 5, which is object 4:

Official website:

No comments: