Digitally Signed and Permission Restricted PDF Files: a Case Study on Digital Forensics

The PDF format is the de-facto standard for many types of documents. Often a forensic digital investigation is faced with a significant volume of PDF files. It is thus important to filter PDF files, giving priority to files that have an high probability to carry important and meaningful data. In this paper, we focus on identifying potential important PDF files, selecting i) digitally signed files and ii) files that have special owner restrictions set, such as interdiction to assemble/separate pages. For this purpose, we present the python-based digiSign|protectedPDF module for the open source Autopsy forensic software. When run over a digital forensic data source, the module creates two lists: one holding the digitally signed files and, another one with files that have special restrictions in their usage. To study the occurrence of digitally signed and of permission-protected PDF and their importance for digital forensics, we analyzed a Windows 10 forensic image, finding that 2.81% of the PDF files were digitally signed and 3.75% were permission-protected. The study shows that digitally signed PDF files can harbor meaningful data for a digital forensic investigation.

[1]  Marc Stevens,et al.  Chosen-prefix collisions for MD5 and applications , 2012, Int. J. Appl. Cryptogr..

[2]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[3]  Simson L. Garfinkel,et al.  Forensic feature extraction and cross-drive analysis , 2006, Digit. Investig..

[4]  Marc Stevens,et al.  The First Collision for Full SHA-1 , 2017, CRYPTO.

[5]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[6]  Vassil Roussev,et al.  Real-time digital forensics and triage , 2013, Digit. Investig..

[7]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[8]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[9]  Hamed Taherdoost,et al.  E-Services Usage Evaluation; Applications’ Level of Co-Creation and Digitalization , 2013 .

[10]  Simson L. Garfinkel,et al.  Digital forensics XML and the DFXML toolset , 2012, Digit. Investig..

[11]  Simson L. Garfinkel,et al.  Digital forensics research: The next 10 years , 2010, Digit. Investig..

[12]  Colette Cuijpers,et al.  Eidas as guideline for the development of a pan European eid framework in futureid , 2014, Open Identity Summit.

[13]  Tanja Lange,et al.  Factoring RSA keys from certified smart cards: Coppersmith in the wild , 2013, IACR Cryptol. ePrint Arch..

[14]  Vashek Matyas,et al.  The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli , 2017, CCS.

[15]  Peter E. Yee Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2013, RFC.

[16]  Kim-Kwang Raymond Choo,et al.  Impacts of increasing volume of digital forensic data: A survey and future research challenges , 2014, Digit. Investig..

[17]  Claudio Soriente,et al.  Security and privacy issues in the Portable Document Format , 2010, J. Syst. Softw..

[18]  Adrian Shaw,et al.  A practical and robust approach to coping with large volumes of data submitted for digital forensic examination , 2013, Digit. Investig..

[19]  Sunil Karforma,et al.  A survey on digital signatures and its applications , 2012 .

[20]  Vashek Matyas,et al.  The Million-Key Question - Investigating the Origins of RSA Public Keys , 2016, USENIX Security Symposium.

[21]  Stephen E. Blythe Digital Signature Law of the United Nations, European Union, United Kingdom and United States: Promotion of Growth in E-Commerce With Enhanced Security , 2005 .

[22]  Vítor J. Sá,et al.  Study of the Perception on the Portuguese Citizen Card and Electronic Signature , 2011, ICGS3/e-Democracy.

[23]  Yi Xie,et al.  Performance of Digital Signature Schemes on Mobile Devices , 2017, Mobile Security and Privacy.

[24]  Guolong Chen,et al.  A method of off-line signature verification for digital forensics , 2016, 2016 12th International Conference on Natural Computation, Fuzzy Systems and Knowledge Discovery (ICNC-FSKD).

[25]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[26]  Harlan Carvey,et al.  Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry , 2011 .

[27]  Harlan Carvey 1 – Registry Analysis , 2016 .

[28]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.