Forensics Analysis PDF

Name: analyzer name

1|Page
 Table of Contents

1. Case Background .................................................................................................................................. 3

2. Analysis tools name.............................................................................................................................. 3

3. Check Hash of all. 1 fadini.pdf ............................................................................................................. 3

4. Full Information of all. 1 fadini.pdf ...................................................................................................... 4

5. Check file Header.................................................................................................................................. 8

6. Metadata of all. 1 fadini.pdf .............................................................................................................. 10

1. File Information............................................................................................................................... 11

2. File Type .......................................................................................................................................... 12

3. PDF Specific Information................................................................................................................. 12

4. Document Creation Details ............................................................................................................. 13

7. Conclusion .......................................................................................................................................... 13

2|Page
 1. Case Background

Here is a PDF file to perform forensic analysis. Here you will see whether the original PDF file has been
modified and the device the file was created from, the device it was printed from and the date.

2. Analysis tools name

1. md5sum: This command-line utility calculates and verifies MD5 hashes (also known as
checksums) for files. It's often used to ensure file integrity by comparing the hash of a file to a
known value.
2. sha1sum: Similar to md5sum, this command computes SHA-1 hashes. SHA-1 is a cryptographic
hash function that produces a 160-bit hash value. While it’s more secure than MD5, it's still
considered weak against modern attacks.
3. sha256sum: This utility calculates SHA-256 hashes, which are part of the SHA-2 family. SHA-
256 produces a 256-bit hash value and is more secure than both MD5 and SHA-1. It’s widely
used for verifying data integrity.
4. peepdf.py: This is a Python script used for analyzing and extracting information from PDF files.
It can be helpful for security analysts and forensic investigators to understand and manipulate
PDF documents, including detecting malicious content.
5. hexedit: A hex editor allows you to view and edit the raw binary contents of files. It's useful for
examining file structures, debugging, and making low-level modifications.
6. exiftool: This is a powerful tool for reading, writing, and editing metadata in a variety of file
formats, including images, videos, and documents. It’s widely used for digital forensics and
managing metadata.

3. Check Hash of all. 1 fadini.pdf

3|Page
MD5: 9df62321bff5710f8d11bf9d13f9a4e8

SHA1: 95b59d3aa9b3d55a25833c9ea167b85b41b4549f

SHA256: 1850e5c56fb7ad5926688099681f39ab1b78e381a87c04f340910888f5f751a8

Figure 1

4. Full Information of all. 1 fadini.pdf

In picture number one, we can see what kind of file the file is actually and what kind of encoding it is and
its version.

4|Page
Figure 2

all. 1 fadini.pdf, appears to be a PDF document with the following characteristics:

• Size: Approximately 1 MB (1,008,077 bytes).

• Version: PDF version 1.7.

• Binary: Yes, it is a binary file.

• Linearized: Yes, it is optimized for fast web view.

• Encrypted: No, it is not encrypted.

• Updates: The document has been updated once.

• Objects: It contains 20 objects and 11 streams.

• Errors: There are no significant errors reported in the structure.

Details of Versions:

• Version 0:

o Contains basic information such as catalog and info objects.

o Includes two objects and one stream.

• Version 1:

5|Page
 o Contains 18 objects, including additional compressed and encoded objects.

o Includes 10 streams and has a more complex structure with object streams and xref
streams.

o Some objects encountered decoding errors, specifically objects 16 and 4.

This summary suggests the PDF is well-structured, with a version that supports advanced features of PDF
1.7, and it’s primarily intended for consistent and efficient display, likely in a web environment due to its
linearized format.

Figure 3

Text Output of the Command

6|Page
File: all. 1 fadini.pdf

MD5: 9df62321bff5710f8d11bf9d13f9a4e8

SHA1: 95b59d3aa9b3d55a25833c9ea167b85b41b4549f

SHA256: 1850e5c56fb7ad5926688099681f39ab1b78e381a87c04f340910888f5f751a8

Size: 1008077 bytes

Version: 1.7

Binary: True

Linearized: True

Encrypted: False

Updates: 1

Objects: 20

Streams: 11

URIs: 0

Comments: 0

Errors: 0

Version 0:

Catalog: 12

Info: 8

Objects (2): [10, 11]

Streams (1): [11]

Xref streams (1): [11]

7|Page
 Encoded (1): [11]

Version 1:

Catalog: 12

Info: 8

Objects (18): [1, 2, 3, 4, 5, 6, 7, 8, 9, 12, 13, 14, 15, 16, 17, 18, 19, 20]

Compressed objects (5): [17, 15, 3, 8, 7]

Errors (2): [16, 4]

Streams (10): [20, 14, 16, 18, 19, 2, 4, 5, 6, 9]

Xref streams (1): [9]

Object streams (3): [14, 2, 6]

Encoded (10): [20, 14, 16, 18, 19, 2, 4, 5, 6, 9]

Decoding errors (2): [16, 4]

PPDF>

5. Check file Header

We can see the header of the PDF file in the third picture, for this I used hexedit here

8|Page
Figure 4

9|Page
 6. Metadata of all. 1 fadini.pdf

Figure 5

ExifTool Version Number : 12.67

File Name : all. 1 fadini.pdf

Directory :.

File Size : 1008 kB

File Modification Date/Time : 2024:09:11 07:33:40-07:00

File Access Date/Time : 2024:09:12 08:11:46-07:00

File Inode Change Date/Time : 2024:09:12 08:11:14-07:00

File Permissions : -rw-------

10 | P a g e
File Type : PDF

File Type Extension : pdf

MIME Type : application/pdf

PDF Version : 1.7

Linearized : Yes

Page Count :2

Producer : macOS Versione 14.4.1 (Build 23E224) Quartz PDFContext

Creator : SCX-8123

Create Date : 2024:05:13 14:14:50Z

Modify Date : 2024:05:13 14:14:50Z

1. File Information

• File Name: all. 1 fadini.pdf

o The name of the file including its extension.

• Directory: .

o The file is located in the current directory.

• File Size: 1008 kB

o The size of the file is 1008 kilobytes.

• File Modification Date/Time: 2024:09:11 07:33:40-07:00

o The date and time when the file was last modified. In this case, it was modified on
September 11, 2024, at 07:33:40 AM Pacific Daylight Time (PDT).

• File Access Date/Time: 2024:09:12 08:11:46-07:00

11 | P a g e
 o The date and time when the file was last accessed, which was on September 12, 2024, at
08:11:46 AM PDT.

• File Inode Change Date/Time: 2024:09:12 08:11:14-07:00

o The date and time when the file’s inode (metadata) was last changed, which occurred on
September 12, 2024, at 08:11:14 AM PDT.

• File Permissions: -rw-------

o The file permissions indicate that only the owner has read and write access to the file. No
other users or groups have permissions.

2. File Type

• File Type: PDF

o Indicates that the file is a PDF document.

• File Type Extension: pdf

o The file extension for PDF files.

• MIME Type: application/pdf

o The MIME type for PDF documents, used to identify the file type over the internet.

3. PDF Specific Information

• PDF Version: 1.7

o The version of the PDF specification used. Version 1.7 is one of the more recent versions
and includes various enhancements over earlier versions.

• Linearized: Yes

o Indicates that the PDF is linearized (also known as optimized for fast web view), which
means it is structured to allow quick access to the first page of the document while the
rest of the document is still downloading.

• Page Count: 2

12 | P a g e
 o The document contains 2 pages.

4. Document Creation Details

• Producer: macOS Versione 14.4.1 (Build 23E224) Quartz PDFContext

o This indicates the software and version used to produce the PDF. In this case, it was
created using macOS's Quartz PDFContext in version 14.4.1.

• Creator: SCX-8123

o This suggests that the PDF was created by a Sharp SCX-8123 printer or scanner,
indicating that the document was likely generated from a scan or print job.

• Create Date: 2024:05:13 14:14:50Z

o The date and time when the PDF was created. The creation date is May 13, 2024, at
14:14:50 (UTC).

• Modify Date: 2024:05:13 14:14:50Z

o The date and time when the PDF was last modified, which is the same as the creation
date. This implies that no changes have been made to the document since its creation.

7. Conclusion

The forensic analysis of the PDF file all. 1 fadini.pdf indicates that the file is intact and has not been
modified since its creation. The MD5, SHA-1, and SHA-256 hashes all match the provided values,
confirming the file's integrity. Metadata reveals that the file was created and last modified on May 13,
2024, using a Sharp SCX-8123 printer or scanner and produced by macOS Quartz PDFContext. The PDF
adheres to the PDF 1.7 specification, is linearized for fast web viewing, and exhibits no significant
structural errors. While there are minor decoding errors in objects 16 and 4, these do not affect the overall
usability or integrity of the document. Thus, all. 1 fadini.pdf is confirmed to be a genuine, unaltered
document with a consistent creation and modification history and minimal issues.

13 | P a g e