Saturday, January 12, 2013

Backtrack Forensics: pdfid

Menu: Forensics -> PDF Forensics Tool
Directory: /pentest/forensics/pdfid

pdfid is a simple pdf analysis tool. It won't give us a very detailed information, just some high level, which can be enough in some cases, like for quick verification. For detailed analysis there are other tools. This one will scan the PDF file for the following strings: obj, endobj, stream, endstream, xref, trailer, startxref, /Page, /Encrypt, /ObjStm, /JS, /JavaScript, /AA, /OpenAction, /JBIG2Decode, /RichMedia, /Launch. The tool can rename some of the possibly malicious strings (like /JavaScript), and thus disarm the PDF, and making it safe o open.

I created a malicious PDF for analysis with Metasploit using exploit:
exploit/windows/fileformat/adobe_geticon
and payload:
windows/meterpreter/reverse_tcp

Using the tool:

./pdfid.py /root/Desktop/forensics/pdf/msf.pdf - basic usage
./pdfid.py -e /root/Desktop/forensics/pdf/msf.pdf - extract more details
./pdfid.py -d /root/Desktop/forensics/pdf/msf.pdf - rename malicious strings

Basic run:


Display more information:


Disarming the PDF:


Reanalyze the disarmed PDF:


Additionally with the -s option we can scan all pdfs within a directory.

Official website: http://blog.didierstevens.com/programs/pdf-tools/#pdfid

No comments: