Tools : peepdf, foxit reader
Title of pdf : forensics.pdf, linux.pdf and howto.pdf
Target : forensics.pdf
now I learn about computer forensic, and I have a problem with my PDF, my PDF can't open.
This is the picture :
root@archaveliano:/pentest/forensics/peepdf# ./peepdf.py -h
Usage: ./peepdf.py [options] PDF_file
Options:
-h, --help show this help message and exit
-i, --interactive Sets console mode.
-f, --force-mode Sets force parsing mode to ignore errors.
-l, --loose-mode Sets loose parsing mode to catch malformed objects.
-s SCRIPTFILE, --load-script=SCRIPTFILE
Load the commands stored in the specified file and
execute them.
after I know, I try to set console mode :
root@archaveliano:/pentest/forensics/peepdf# ./peepdf.py -i /media/BCA8-FC99/forensics.pdf
Error: Bad PDF header!! ()
ok, now I know that my pdf file have a bad header, so I try to find header pdf. I must have a normal file
pdf , so I take the other file pdf to equal with my forensics.pdf. So I choose linux.pdf and howto.pdf to
equal that header with forensics.pdf
open linux.pdf , howto.pdf and forensics.pdf in hexedit. This is an screenshoot :
look forensics.pdf, that have different with linux.pdf and howto.pdf in header, so I try to edit
forensics.pdf header from AA 50 44 AA 2D AA 2E with 25 50 44 46 2D 31 2E . and save it.
Now I try to open forensics.pdf with foxit reader. And this is the result.
-=CMIIW=-
Kerren!!!
ReplyDeleteHi there!
ReplyDeleteI'm the peepdf author and I would like to point out that you can use the -f option to ignore errors and continue analysing the PDF documents. This way you will have more information and you will force the execution of the tool ;)
Cheers!