Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Determining author from PDF

from [Darren Stephens] Network Security [Permanent Link]
Subject: RE: Determining author from PDF
Date: Thu, 2 Jun 2005 09:28:25 +0100 
I think this very much depends which tool is used to generate the final PDF
object.

I just checked out some of my own docs, generated using pdflatex., where the
author (and most other PDF meta data attributes) can be set by the user as TeX
frontmatter, for example like this:

\usepackage{hyperref}
\hypersetup{
        pdftex,
        baseurl={},
        verbose=false,
        bookmarksnumbered=true,
        a4paper,
        bookmarksopen,
        colorlinks,
        plainpages,
        backref,
        pdfstartview=FitH,
        pdfpagemode={UseOutlines},
        pdftitle = {A Title Here},
        pdfauthor= {Darren Stephens},
        pdfcreator= {LaTeX},
        pdfproducer= {pdfLatEX 1.2a},
        pdfsubject= {Subject here},
        pdfkeywords= {keywords here}
}

So obviously I could put any value I like in the author field. However, the
attbiutes below are certainly the ones to look for.


-----Original Message-----
From: Johnathan Bridbord [mailto:jbridbord@doar.com]
Sent: Wednesday, June 01, 2005 7:32 PM
To: NEWELL Craig -TSDC; forensics@securityfocus.com
Subject: RE: Determining author from PDF

Craig,

While examining a PDF you may want to parse the following attributes:

<<PDF FileName>>
<<PDF Version>>
<<PDF Security>>
<<PDF PageCount>>
<<MediaBox>>
<<page 0 MediaBox>>
<<CropBox>>
<<page 0 CropBox>>
<<OpenAction>>
<<Title>>
<<Keywords>>
<<Subject>>
<<Creator>>
<<Author>>
<<CreatedDate>>
<<Producer>>
<<ModifyDate>>
<<SavedBy>>
<<Rotate>>
<<PageMode>>
<<ViewReference>>
<<PageLayout>>
<<MetaData>>
<<File Pages Count>>


Best,
JB


Johnathan Bridbord, CISSP/CIFI
Senior Forensic Examiner
DOAR Litigation Consulting
DD:  (516) 823-4077
Fax:  (516) 823-4400
jbridbord@doar.com  www.DOAR.com

-----Original Message-----
From: NEWELL Craig -TSDC [mailto:craig.newell@torsdc.ca]
Sent: Tuesday, May 31, 2005 3:25 PM
To: forensics@securityfocus.com
Subject: Determining author from PDF

Hi,

When we open up a PDF in WordPad, we find an entry as follows:

/Creator (Acrobat Capture Server 2.01)
/CreationDate (D:20050207111015)
/Author (\376\377\000C\000L\000O\000W\000E\000S\000D\000A)
/Producer (Acrobat PDFWriter 4.05 for Windows NT) /ModDate
(D:20050207111015)

We are trying to find the creator of the PDF and if we look
at the author field, we get CLOWESDA. Is this the userid that
was logged in?

Cheers,

Craig Newell, CISSP
TSDC Security

New Horizon System Solutions/Inergi LP*
Toronto Service Delivery Centre
p: (416) 592-6723
c: (416) 992-2818
craig.newell@torsdc.ca
700 University Avenue, H2 F7
Toronto, Ontario M5G 1X6
* A member of Capgemini



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling,
management and tracking system please see:
http://aris.securityfocus.com





Content-Type: text/plain;

Checked by Hu-fw-scar


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Determining author from PDF, David MacDonald
Next by Date:  Re: Determining author from PDF, Bob Jones
Previous by Thread:  RE: Determining author from PDF, Johnathan Bridbord
Next by Thread:  Re: Determining author from PDF, David Jacoby
Indexes:  [Date] [Thread] [Top] [All Lists]