Blog >> Adobe Acrobat Reader

Investigating Adobe Acrobat Reader

08/04/2022 Friday

Adobe Acrobat Reader is part of Adobe family. It is a cross-platform application which enables the user to view, comment, sign, print, share, collect and track feedback of PDF files for free. The software offers a variety of other features such as creating, editing, and exporting PDF files; however, it requires the user to purchase a subscription.

Digital Forensics Value of Adobe Acrobat Reader Artifacts

Adobe Acrobat Reader is widely used by the general public as it has become an essential part in handling and interacting with PDF files. Adobe Acrobat Reader artifacts provide examiners with detailed information about the recently accessed files, the location of these files, and which files have been favorited by the user. Additionally, they enable the examiners to review information related to the logged in local user. Being able to track the history of files accessed using Adobe Acrobat Reader and other details can be critical during the digital forensic analysis process.

Location of Adobe Acrobat Reader Artifacts

Adobe Acrobat Reader artifacts are located in the NTUSER.dat registry hive at the following locations:

NTUSER.DAT\Software\Adobe\Acrobat Reader\DC\AVGeneral\
NTUSER.DAT\Software\Adobe\Acrobat Reader\DC\SessionManagement
NTUSER.DAT\Software\Adobe\Acrobat Reader\DC\ShareIdentity

Structure of Adobe Acrobat Reader Artifacts

Adobe Acrobat Reader artifacts are stored in NTUSER.DAT registry hive. The registry hive format is a binary file with a group of keys, subkeys, and values. Acrobat Reader key contains multiple subkeys that store information such as recently accessed files, the location of these files, and much more.

Analyzing Adobe Acrobat Reader Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to analyze Adobe Acrobat Reader artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Adobe Acrobat Reader artifacts:

ArtiFast can analyze Adobe Acrobat Recent Files, Recent Locations, General Info, Favorite Files, and User Information. For demonstration purposes, all the artifacts have been chosen, however, you have the option to select one or more artifacts.

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Adobe Acrobat artifact in ArtiFast software.

Adobe Acrobat Favorite Files Artifact

This artifact contains information related to the files that have been favorited by the user. The details you can view include:

• File Name - Name of the PDF file.
• File Path - Path of the PDF file.
• File Path Hex - Path of the PDF file in hexadecimal string.
• File Size - Size of the PDF file.
• File Source - Source of the file.
• Page Count - Number of pages of the PDF document.
• Host OS - The file host operating system.
• Favorite - Indicates whether the PDF file has been favorite by the user.
• Last Accessed Date/Time - Date/time when the file was last accessed.
• Last Update Date/Time - Date/time when the file was last updated.

Adobe Acrobat General Info Artifact

This artifact contains general information about the software on a Windows device. The details you can view include:

• Last Run Timestamp - Timestamp of when the software was last launched.
• Number of Opened Files - Indicates the number of opened files.
• Times Launched - The number of times the software was launched.
• Installation Location - The country where the software was installed.

Adobe Acrobat Recent Files Artifact

This artifact contains information about the recently opened files. The details you can view include:

• File Name - Name of the PDF file.
• File Path - Path of the PDF file.
• File Path Hex - Path of the PDF file in hexadecimal string.
• File Size - Size of the PDF file.
• File Source - Source of the file.
• Page Count - The number of pages of the PDF document.
• Host OS - The file host operating system.
• Last Accessed Date - Date/time when the file was last accessed.
• Last Update - Date/time when the key was last updated.

Adobe Acrobat Recent Locations Artifact

This artifact contains information about recent locations. The details you can view include:

• Folder Name - Name of the folder.
• Folder Path - Path to the folder.
• older Path Hex - Path of the folder in hexadecimal string.
• Last Update - Date/time when the key was last updated.

Adobe Acrobat User Information Artifact

This artifact contains information about the logged in local user. The details you can view include:

• First Name - First name of the user.
• Last Name - Full name of the user.
• User Email - Email address of the user.
• Last Write Date/Time - The date and time when the registry key was last modified.

For more information or suggestions please contact: asmaa.elkhatib@forensafe.com