files converted int...
 
Notifications
Clear all

files converted into .pdf artifacts

3 Posts
3 Users
0 Likes
540 Views
tibbs66
(@tibbs66)
Posts: 38
Eminent Member
Topic starter
 

Hi all,

Are there artifacts on a machine showing documents have been converted into .pdf's? If yes, what and where are those?

Thanks for any help!

Libby

 
Posted : 28/11/2018 1:45 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

There may be some…for example, the PDF metadata may show that the document originated as an MS Word document.

Depending upon how the file is converted to PDF, you may find the launch of that application by the user.

Another approach would be to try a conversion method, and image/analyze the system.

 
Posted : 30/11/2018 6:20 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Hi all,

Are there artifacts on a machine showing documents have been converted into .pdf's? If yes, what and where are those?

Check when the PDF was born (internal metadata versus file stamp versus $MFT) and correlate this date/ time with the typical execution artifacts like prefetch, shimcache and userassist. And check Event ID 7035/7036 if the spooler service was started for the printing process.

 
Posted : 30/11/2018 11:27 pm
Share: