Forensics of Adobe Software

Adobe software has become a ubiquitous part of the print, online, audio, and video realm and has cemented itself into just about every creative product consumers read, watch or download.

Adobe products, such as Photoshop, InDesign, Illustrator and Acrobat have become essential tools for designers, web developers, artists, criminals and forensic examiners. This report will examine the tools used—and misused—by criminals to hide and change images, information, how these tools are used by forensic examiners, as well as the security risks of Adobe products to the general public.

 

MS-Cybersecurity and Computer Forensics Program

Utica College

Abstract

Adobe software has become a ubiquitous part of the print, online, audio, and video realm and has cemented itself into just about every creative product consumers read, watch or download.

Adobe products, such as Photoshop, InDesign, Illustrator and Acrobat have become essential tools for designers, web developers, artists, criminals and forensic examiners. This report will examine the tools used—and misused—by criminals to hide and change images, information, how these tools are used by forensic examiners, as well as the security risks of Adobe products to the general public.

Since 1999, InDesign quickly became the de facto program for creating print document, eventually eclipsing QuarkXPress, which had cornered the desktop publishing market since the late 1980s (Girard, 2014). Along with the wider usage of InDesign came Photoshop and Acrobat, which are used for photo manipulation and PDF production, respectively.

 

The Forensics of Adobe Software

Photoshop is a tool that is fairly easy for people to use to alter images. The purposes can be artistic or nefarious. Author Fred Ritchin warned that the use of technology, such as Photoshop, to doctor images calls into question the believability of an image as a “document of social communication” (Pierini, 2015).

As the technology advances and the users’ abilities improve, it becomes more difficult to make the distinction between real and fake. There are cases, of course, where the photo editor did not take much care in his work and the results are plain to see. Figure 1 shows a manipulated photo from Victoria’s Secret. It is obvious that the model is holding a handbag of some sort, but the artist neglected to remove the straps from her hand. The tile on the floor behind the removed bag was also poorly drawn back in, and does not match the rest of the floor (Krawetz, 2009).

victoriassecretphotoshopFigure 1: Poorly manipulated image.

Another telltale sign of image manipulation is Error Level Analysis (ELA). ELA works by resaving images at 95% compression rate. The changes that are introduced are then calculated and areas of manipulation show up brighter as they deviate from the original (“Image Analysis, n.d.”). Figure 2 shows that the image was changed quite extensively by highlighting the changes in white. The entire dress was modified, and, as it has selectable colors on the original website, the color seen in the image is not the original.

 

elaFigure 2: Error Level Analysis (ELA) shows image modification.

Error Level Analysis can be performed online at fotoforensics.com. By uploading a JPG or PNG image to the site, the image is analyzed for ELA and the image’s metadata is also reported. The user also has the ability to select TinEye, to use the TinEye.com web service to find any similar images online (“FotoForensics, n.d.”).

In 2013, a photo of mourners in Gaza was selected as the World Press Photo of the Year. Experts became suspicious of the photo’s authenticity as they detected unusual light and shadows for the time it was purportedly taken. Two forensics experts came to somewhat different conclusions. Neal Kawetz concluded that there was significant alteration to the image and that, based on the XMP metadata, the image was comprised of four different images (figure 3). Forensic analyst Harry Farid concluded that the photo (figure 4) did go through alterations but it was no more than “burning and dodging” to adjust lightness (Anthony, 2013).

Screen Shot 2015-03-03 at 5.00.27 PMFigure 3: Metadata from the Gaza photo that Krawetz uploaded to fotoforensics.com.

 

 

Screen Shot 2015-03-03 at 5.06.40 PM
Screen Shot 2015-03-03 at 5.06.52 PM
Figure 4: The Gaza mourners photo and the ELA representation that shows extensive alterations.

 

Using Photoshop for dishonest purposes has been around for many years and makes it very easy to perpetrate, leading many people to believe what they are seeing until the image is proven fake. One of the most famous Photoshop fakes—and maybe one of the most insensitive—was the “911 Tourist.” The photo (figure 5) shows a man standing by a rail on the Twin Towers as one of the terrorists’ planes approaches. The photo was meant as a “joke,” taken by Hungarian tourist Peter Guzil, who was in New York—in 1997—and who Photoshopped the plane into the scene. (Note the timestamp.) The image spread virally via email (“Famous Photoshopped Fakes, n.d.”).

 

0220091154_M_fakes_tourist_guyFigure 5: Peter Guzil in New York—1997.

Photoshop and Acrobat are both Adobe products and are both available through the Adobe Creative Cloud subscription service. This makes using the programs, and experimenting with them, very convenient.

In the example below, figure 6 shows a two-layered image in Photoshop CC (2014). The bottom (background) layer is an image of a golf course. The secondary layer is a solid black overlay. The file is saved from Photoshop as a PDF and then opened in Adobe Acrobat Pro XI (figure 7). Although the image contains the golf course and the black overlay, the PDF only shows black. When the PDF is opened in Photoshop, it retains the layers and the black overlay can be unchecked, revealing the golf course below (figure 8).

 

fig6Figure 6: Two-layer (yellow circle) image created in Photoshop CC (2014).

 

 

 

fig7Figure 7: The Photoshop image is saved as a PDF and opened in Adobe Acrobat Pro XI.

 

fig8Figure 8: The PDF is opened in Photoshop, retaining the layers, which can be turned on and off (yellow circle) to reveal the hidden image.

This is a simple way to hide an image and send it, unsuspected, as a PDF. If the PDF is intercepted and opened in Acrobat, the only thing that would be seen is the black overlay. The recipient would have to be able to open the image to show layers—such as it was done using Photoshop. Using Acrobat’s Preflight functions do not reveal the presence of the golf course image (figure 9).

Another method of hiding information is with a tool such as OpenPuff. OpenPuff enables the user to hide data in several types of carriers, JPG, MP3, etc., and send it, unsuspecting, to the recipient. Without knowing the information is in there, an interceptor wouldn’t know to look for it. The recipient would have to have OpenPuff and the authentication to extract it (Zuckerman, 2013).

acrobatPreflightFigure 9: Acrobat’s Preflight does not show background image.

For several years, Photoshop has been an essential forensic tool for examiners and law enforcement personnel. An entire mini-industry has risen to meet the training demand, with companies such as Rocky Mountain Training offering Photoshop for Forensic Personnel courses for $600 (“Rocky Mountain, n.d.”).

Additionally, there are many books and CD training guides for examiners to use to learn the ins and outs of Photoshop such as Jim Hoerricks’ Forensic Photoshop (Hoerricks, n.d.).

Hoerricks makes the claim that Photoshop can withstand a “Swinton Six” challenge. The Swinton Six refers to a 2004 Connecticut legal case, State v. Swinton, in which Photoshop was used to created demonstrations of bite mark overlays to show that the defendant had bitten the victim (Guthrie & Mitchell, 2007).

The Swinton Six characteristics, as defined by the Connecticut Supreme Court, are:

  1. The computer equipment is accepted in the field as standard and competent and was in good working order
  2. Qualified computer operators were employed
  3. Proper procedures were followed in connection with the input and output of information
  4. A reliable software program was utilized
  5. The equipment was programmed and operated correctly
  6. The exhibit is properly identified as the output in question (Hoerricks, n.d.)

Photoshop is an essential tool for investigators to use in analyzing photographs. Even with poor quality photos, a trained Photoshop user can enhance the image in numerous ways by sharpening details, reducing shadows, reducing blur or noise, or zooming, amongst others. There are also plug-ins available that can be added to Photoshop to increase its usefulness to forensic examiners. One such plug-in is ClearID. ClearID is a non-destructive plug-in and can be used to analyze stills and video. ClearID also automatically hashes the image with a SHA-1 hash for verification. ClearID is part of the dTective suite of tools that can analyze many forms of image media (“ClearID: See All the Details, n.d.”).

PDF (Portable Document Format) files are as ubiquitous as JPG images. It would be nearly impossible for anyone to not handle a PDF file on a regular basis. PDFs were developed by Adobe and Adobe founder John Warnock wrote:

“Imagine being able to send full text and graphics documents (newspapers, magazine articles, technical manuals etc.) over electronic mail distribution networks. These documents could be viewed on any machine and any selected document could be printed locally. This capability would truly change the way information is managed.”

PDFs were based on Adobe PostScript, which was developed as a cross-platform means of transmitting and displaying documents with text and graphics. The new technology was announced at Seybold in 1991 (“The History of PDF, n.d.”).

Metadata in PDF files is easy to view. Although there are several metadata tools, such as pdfwalker, pdfid, and pdfmetadata, simply checking the PDFs Document Properties can provide a wealth of information. In the PDF, metadataadvisor.pdf, downloaded from msisac.cisecurity.org, the Properties show the program that created it, the author of the document, the date it was created, and more.

In this example, the metadata in the PDF shows that Margaret Morrissey created it; she used Microsoft Word on a Mac on October 24, 2011 at 2:45 in the afternoon (figure 10). That information was useful in “following the trail” to find the actual person who created the document, as her name does not appear on the PDF itself.

With the name extracted from the metadata, the location (Albany, NY) referenced in the document, and “cybersecurity initiatives” in the text, it can be concluded that the author of the PDF is Margaret Morrissey, Executive Assistant, New York State Cyber Security, Albany, NY, www.cscic.state.ny.us (Morrissey, 2011).

PDFmetadataFigure 10: Metadata of PDF file as viewed using the Document Properties function in Acrobat Pro XI.

 

Malware in PDF files has become pervasive. With ease of creating, disseminating and opening PDFs, this document format is ripe for exploitation. It is very common for a person to receive PDF files via email, sometimes from known sources and sometimes from innocuous looking sources. A mass email with a malware-infected PDF can be sent to thousands of people in seconds, with the effects not always seen once the PDF is opened. In the last few years, PDF attacks have doubled year-after-year (“Analyzing Malicious PDFs, 2013”).

Malware is commonly introduced into PDFs with javascript actions. These actions are launched when the PDF is opened or printed. There are many tools available for analyzing PDFs, both online and offline.

The Morrissey PDF, cited above, was uploaded to wepawet.org for analysis. The free online service returned a report showing that the PDF was clean (figure 11) (“Wepawet, n.d.”).

 

PDFjavascriptanalyzerFigure 11: Wepawet analyzed PDF and reported it was clean.

Digital signatures are a popular way of validating the authenticity of PDF documents. It is easy to digitally sign a PDF by providing a name and email address. Once the document has been digitally signed it cannot be modified (Segura, 2013).

However, the PDF can be opened in Photoshop, some changes can be made—the headline was removed in the example—and saved back as a PDF (figure 12). Once opened in Acrobat, it appears to be a valid, digitally signed PDF. The giveaway is if the reader tries to view the signing certificate and is unable to do so. But, the altered PDF looks just like one would expect it to without conducting any basic forensics on it.

 

 

Screen Shot 2015-03-04 at 10.00.56 PMScreen Shot 2015-03-04 at 9.57.06 PMFigure 12: The image on top is the valid signed PDF. On the right is the altered PDF, filtered through Photoshop, with the headline removed.

If one were to view the Document Properties of the altered and unaltered PDFs, it would be obvious there is a difference (figure 13). The original PDF was created by Ms. Morrissey on her Mac OSX 10.6.8 system and the altered PDF was produced via Photoshop. To the casual observer, this information would never be investigated and the fraudulent PDF would most likely be considered authentic and correct.

 

Screen Shot 2015-03-04 at 10.07.24 PMScreen Shot 2015-03-04 at 10.07.39 PMFigure 13: Metadata shows the PDF Producer for each document is different, indicating that it had been altered.

 

Photoshop and Acrobat are only two Adobe programs in their vast arsenal of software solutions. Although these two are widely used by the general public in either creating or viewing their output, Adobe InDesign is the most well known and most used application by graphic designers and publishers. QuarkXPress was, for many years, the de facto tool of publishers, but Adobe took over the market in a big way with InDesign. Many publications, such as Selling Power, The American Spectator and Today’s Campus, who had worked with QuarkXPress switched to InDesign later. InDesign hasn’t presented the forensics challenges that PDFs and Photoshop have, but it is interesting to note that, even in this seemingly innocuous program, there is metadata embedded that can be analyzed (Wheeler, 2008).

In the example, below, we see a September 2013 cover of The American Spectator magazine. By viewing the metadata (“Adobe InDesign Component Information”) by holding down the command key and selecting “About InDesign,” it can be seen that this document was originally created in July 2012 and modified several times. This could be an example of another’s work being appropriated and modified and passed off as original work (figure 14).

Screen Shot 2015-03-04 at 10.32.44 PMFigure 14: Metadata derived from Adobe InDesign file.

Adobe software continues to expand and become as much of our lives as Microsoft and Google. Many people aren’t aware of it, though. People may have heard of Flash and PDF, and maybe know someone who uses Illustrator or InDesign, but Adobe reaches far and wide—right into the consumers’ pockets. The Adobe Marketing Cloud, and its 2011 acquisition of PhoneGap, make Adobe a huge, unseen force, from the desktop to the printed page, to the screen on the latest smartphone (Koetsier, 2015).

Adobe weathered the storm when Apple blocked Flash from iPhone, but the increased use of HTML5 has made that pretty much a moot point. As Adobe usage grows, the vulnerabilities increase. Forensic examiners, law enforcement and the general public will need to be more vigilant about what they consume online and threats and security holes need to be investigated and patched immediately lest they spread to millions.

References

Analyzing Malicious PDFs. (2013, November 20). Retrieved March 5, 2015 from http://resources.infosecinstitute.com/analyzing-malicious-pdf/

Anthony, S. (2013, May 13). Was the 2013 World Press Photo of the Year Faked with Photoshop or Merely Manipulated? Retrieved March 2, 2015 from http://www.extremetech.com/extreme/155617-how-the-2013-world-press-photo-of-the-year-was-faked-with-photoshop

ClearID: See All the Details Your Evidence has to Offer. Retrieved March 5, 2015 from http://www.oceansystems.com/forensic/forensic-Photoshop-Plugins/index.php

Girard, D. (2014, January 13). How QuarkXPress Became a Mere Afterthought in Publishing. Retrieved March 2, 2015 from http://arstechnica.com/information-technology/2014/01/quarkxpress-the-demise-of-a-design-desk-darling/

Guthrie, C. & Mitchell, B. (2007, September 26). The Swinton Six: The Impact of State v. Swinton on the Authentication of Digital Images. Retrieved March 2, 2015 from http://www.stetson.edu/law/lawreview/media/the-swinton-six-the-impact-of-state-v-swinton-on-the-authentication-of-digital-images.pdf

Famous Photoshopped Fakes. (n.d.). Retrieved March 2, 2015 from http://www.foxnews.com/photoessay/0,4644,6636,00.html/#/photoessay/image/0220091154_M_fakes_tourist_guy-jpg

FotoForensics. (n.d.). Retrieved March 2, 2015 from http://fotoforensics.com

History of PDF, The. (n.d.). Retrieved March 5, 2015 from http://www.prepressure.com/pdf/basics/history

Hoerricks, J. (n.d.). Forensic Photoshop. Retrieved March 2, 2015 from http://www.blurb.com/b/196812-forensic-photoshop

Image Analysis Tools. (n.d.). Retrieved March 2, 2015 from http://www.mufon.com/image-analysis-tools.html

Koetzier, J. (2015, January 28). How Adobe is Embedding Its Marketing Cloud into Thousands of Mbile Apps—And Soon More. Retrieved March 4, 2015, from http://venturebeat.com/2015/01/28/how-adobe-is-embedding-its-marketing-cloud-into-thousands-of-mobile-apps-and-soon-more/

Krawetz, N. (2009, November 2). Body By Victoria. Retrieved March 2, 2015 from http://www.hackerfactor.com/blog/index.php?/archives/322-Body-By-Victoria.htm

Morrissey, M. (2011, October 24). Metadata: A Backdoor Into Organizations. Retrieved March 5, 2015 from https://msisac.cisecurity.org/resources/reports/documents/metadataadvisory.pdf

Pierini, D. (2015, February 25). Day in the Life Series Mastermind Reflects of 25 Years of Photoshop. Retrieved March 2, 2015 from http://www.cultofmac.com/313469/day-life-series-mastermind-reflects-25-years-photoshop/

Rocky Mountain Training. (n.d.). Retrieved March 2, 2015 from http://www.rockymountaintraining.com/class_photoshop_forensics.php

Segura, J. (2013, February 4). Digital Certificates and Malware: A Dangerous Mix. Retrieved March 4, 2015 from https://blog.malwarebytes.org/intelligence/2013/02/digital-certificates-and-malware-a-dangerous-mix/

Wepawet. (n.d.). Retrieved March 4, 2015 from http://wepawet.iseclab.org./

Wheeler, C. (2008, July 23). InDesign Forensics: What Your Editor Knows About You. Retrieved March 4, 2015 from http://www.deke.com/content/indesign-forensics-what-your-editor-knows-about-you

Zuckerman, E. (2013, January 29). Review: OpenPuff Steganography Tool Hides Confidential Data in Plain Sight. Retrieved March 2, 2015 from http://www.pcworld.com/article/2026357/review-openpuff-steganography-tool-hides-confidential-data-in-plain-sight.html