Many time attackers bind the payloads, malware, viruses with normal looking files like JPG, PDF etc. In this digital forensic tutorial we are going to learn how we can find a suspicious file from a PDF file on our Kali Linux machine.
For this digital forensic inspection we are going to use peepdf tool. peepdf is a python based command line tool that explore PDF files in order to find out if the file is harmful or not. peepdf comes pre-installed with Kali Linux. The main features are following:
Let's run this tool in our Kali Linux system. We run following command to see the help menu of this tool.For this digital forensic inspection we are going to use peepdf tool. peepdf is a python based command line tool that explore PDF files in order to find out if the file is harmful or not. peepdf comes pre-installed with Kali Linux. The main features are following:
- Decoding : Hexadecimal, octal, name objects.
- References in objects and where an object is referenced.
- String search with streams.
- Analyze physical structure.
- Logical tree structure.
- Extract metadata from encoded and encrypted files also.
- Modification between changelog (versions).
- Analyze compressed objects.
- Shellcode analysis.
- Javascript analysis and modification.
- Checking hashes on VirusTotal.
- Modify PDF files without opening.
- Basic PDF creation.
The screenshot of the command is following:-
In this above screenshot we can clearly see the options and the uses, some examples
- -i flag for the interactive console mode,
- -c flag checks the hash of the PDF on VirusTotal.
- -f flag uses force mode ignoring errors.
- -m flag is for the manual mode.
- -x flag shows the file in XML format.
- -j flag shows PDF file in JSON format.
Let we start checking PDF files one by one For this tutorial we just use the -f flag to ignore any error in our scanning. In our Desktop directory we open a terminal and type following command to test the test.pdf file:
The screenshot is following:
We can see we got something suspicious. We can check this file's hashes on VirusTotal's database. To do this we apply following command:
This will show us the information and CVE used to make this file.
Let's check the other PDF file in the same way.
The screenshot is following:
We can clearly see that we did not got any Stranger Things in this file.
In this process we can analyze a PDF file and it's hashes without opening it using peepdf tool.
Digital Forensic experts can find this tutorial useful. For more tutorial like this Visit our website regularly and for updates follow us on Facebook, Twitter, Blogger and Medium. We are Everywhere.