Digitally Signed And Permission Restricted Pdf Files: A Case Study On Digital Forensics

The PDF format is the de-facto standard for many types of documents. Often a forensic digital investigation is faced with a significant volume of PDF files. It is thus important to filter PDF files, giving priority to files that have an high probability to carry important and meaningful data. In this paper, we focus on identifying potential important PDF files, selecting i) digitally signed files and ii) files that have special owner restrictions set, such as interdiction to assemble/separate pages. For this purpose, we present the python-based digiSign vertical bar protected PDF module for the open source Autopsy forensic software. When run over a digital forensic data source, the module creates two lists: one holding the digitally signed files and, another one with files that have special restrictions in their usage. To study the occurrence of digitally signed and of permission-protected PDF and their importance for digital forensics, we analyzed a Windows 10 forensic image, finding that 2.81% of the PDF files were digitally signed and 3.75% were permission-protected. The study shows that digitally signed PDF files can harbor meaningful data for a digital forensic investigation.