Forensic Analysis of Residual Information in Adobe PDF Files
This work addresses digital forensic investigators by providing incremental insights into extracting and analyzing residual data in PDF files for evidence purposes.
The paper tackles the problem of residual information in PDF files, which can reveal prior modifications and writing processes, by explaining why it is stored and demonstrating a method to extract it, along with showing how PDF attributes can be used to hide data.
In recent years, as electronic files include personal records and business activities, these files can be used as important evidences in a digital forensic investigation process. In general, the data that can be verified using its own application programs is largely used in the investigation of document files. However, in the case of the PDF file that has been largely used at the present time, certain data, which include the data before some modifications, exist in electronic document files unintentionally. Because such residual information may present the writing process of a file, it can be usefully used in a forensic viewpoint. This paper introduces why the residual information is stored inside the PDF file and explains a way to extract the information. In addition, we demonstrate the attributes of PDF files can be used to hide data.