Investigating Adobe Acrobat Reader
28/04/2023 Friday
Adobe Acrobat Reader is a software developed by Adobe Inc. to manage Portable Document Format (PDF) files. It was initially developed to preview PDF files but it is now supporting many other features such as editing, e-signing, and format-converting. The basic features are available to users for free, however, the app has a set of premium features available on a paid subscription.
Digital Forensics Value of Adobe Acrobat Reader
Adobe Acrobat Reader is widely used by users across different platforms. It collects and stores important information not only about the browsed files but also about users’ accounts. Analyzing such information can provide examiners with substantial information that will support digital forensic investigations.
Location of Adobe Acrobat Reader Artifacts
The location of Adobe Acrobat Reader artifacts has changed from the previously published blog.
Artifacts now can be retrieved from the NTUSER.dat registry hive at the following location:
NTUSER.DAT\Software\Adobe\Adobe Acrobat\DC
Analyzing Adobe Acrobat Reader Artifacts with ArtiFast
This section will discuss how to use ArtiFast Windows Adobe Acrobat artifacts from Windows machines and what kind of digital
forensic insights we can gain from the artifacts.
After you have created your case and added evidence for the investigation,
at the Artifact Selection phase, you can select Adobe Acrobat artifacts.
ArtiFast can analyze Adobe Acrobat Recent Files, Recent Locations, General Info, Favorite Files, and User
Information. For demonstration purposes, all the artifacts have been chosen, however, you have the option to
select one or more artifacts.
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Windows Adobe Acrobat artifacts in ArtiFast.
Adobe Acrobat Favorite Files
- File Name - Name of the PDF file.
- File Path - The file path.
- File Path Hex - The file Path in hexadecimal string.
- File Size - The Size of the file in bytes.
- File Source - The source of the file.
- Page Count - Indicates the number of pages of the document.
- Host OS - The file host operating system.
- Favorite - Indicates whether the PDF file has been favorite by the user.
- Last Accessed Date/Time - The date and time when the file was last accessed.
- Last Update Date/Time - The date and the time when the key was last updated.
Adobe Acrobat General Info
- Last Run Date/Time - Timestamp of when the software was last launched.
- Number of Opened Files - Indicates the number of opened files.
- Times Launched - Indicates the number of times the software was launched.
- Installation Geo Location - The country where the software was installed.
Adobe Acrobat Recent Files
- File Name - Name of the PDF file.
- File Path - The file path.
- File Path Hex - Path of the PDF file in hexadecimal string.
- File Size - The size of the file in bytes.
- File Source - Source of the file.
- Page Count - The number of pages of the PDF document.
- Host OS - The file host operating system.
- Last Accessed Date - The date and time when the file was last accessed.
- Last Update - The date and time when the key was last updated.
Adobe Acrobat Recent Locations
- Folder Name - The folder name.
- Folder Path - The folder Path.
- older Path Hex - Path of the folder in hexadecimal string.
- Host OS - The folder host operating system.
- Last Update -The date and time when the registry key was last update.
Adobe Acrobat User Information
- First Name - The account user first name.
- Last Name - The account user full name.
- User Email - The account user email address.
- Last Write Date/Time - Registry key last write date and time.
For more information or suggestions please contact: kalthoum.karkazan@forensafe.com
