peepdf -- PDF File Forensic Investigation

Many time attackers bind the payloads, malware, viruses with normal looking files like JPG, PDF etc. In this digital forensic tutorial we are going to learn how we can find a suspicious file from a PDF file on our Kali Linux machine.

peepdf kali linux digital forensic of PDF files


For this digital forensic inspection we are going to use peepdf tool. peepdf is a python based command line tool that explore PDF files in order to find out if the file is harmful or not. peepdf comes pre-installed with Kali Linux. The main features are following:
  • Decoding : Hexadecimal, octal, name objects.
  • References in objects and where an object is referenced.
  • String search with streams.
  • Analyze physical structure.
  • Logical tree structure.
  • Extract metadata from encoded and encrypted files also.
  • Modification between changelog (versions).
  • Analyze compressed objects.
  • Shellcode analysis.
  • Javascript analysis and modification.
  • Checking hashes on VirusTotal.
  • Modify PDF files without opening.
  • Basic PDF creation.
Let's run this tool in our Kali Linux system. We run following command to see the help menu of this tool.

peepdf -h
The screenshot of the command is following:-



In this above screenshot we can clearly see the options and the uses, some examples
  1. -i   flag for the interactive console mode, 
  2. -c  flag checks the hash of the PDF on VirusTotal.
  3. -f   flag uses force mode ignoring errors.
  4. -m flag is for the manual mode.
  5. -x  flag shows the file in XML format.
  6. -j   flag shows PDF file in JSON format.
Here we have two PDF files in our Desktop. One is a malicious PDF file another is the normal one. Let we check how we can find the malicious one, which have a payload on it.

testing PDF files


Let we start checking PDF files one by one For this tutorial we just use the -f flag to ignore any error in our scanning. In our Desktop directory we open a terminal and type following command to test the test.pdf file:

peepdf -f test.pdf
 The screenshot is following:

peepdf kali linux

We can see we got something suspicious. We can check this file's hashes on VirusTotal's database. To do this we apply following command:


peepdf -f -c test.pdf
This will show us the information and CVE used to make this file.


Let's check the other PDF file in the same way.

peepdf -f test2.pdf
The screenshot is following:

peepdf scan

We can clearly see that we did not got any Stranger Things in this file.

In this process we can analyze a PDF file and it's hashes without opening it using peepdf tool.
Digital Forensic experts can find this tutorial useful. For more tutorial like this Visit our website regularly and for updates follow us on Facebook, Twitter, Blogger and Medium. We are Everywhere.
peepdf -- PDF File Forensic Investigation peepdf -- PDF File Forensic Investigation Reviewed by Kali Linux on December 31, 2019 Rating: 5

No comments:

Please do not spam here. It is comment box not a spambox. Promotional links are not allowed.

Powered by Blogger.