The Malicious and Forensic Uses of Adobe Software
Transcription
The Malicious and Forensic Uses of Adobe Software
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE B Y J E F F R E Y P. M A C H A R Y A S THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE by Jeffrey P. Macharyas A Capstone Project Submitted to the Faculty of Utica College August 2015 in Partial Fulfillment of the Requirements for the Degree of Master of Science in Cybersecurity © Copyright 2015 by Jeffrey P. Macharyas All Rights Reserved Abstract A dobe systems, inc. publishes a large number of software applications, cloud storage, analytic tools and marketing tools that are used worldwide. According to Adobe, 99% of computers have Flash installed and 90% have Acrobat or Acrobat Reader (for viewing Adobe Portable Document Format files [PDF]) installed. This is near universal use in the United States, but only 50% of computers in China and 25% of computers in Russia have PDF readers installed (Madrigal, 2012). In 2009, approximately 52.6% of targeted attacks used PDF exploits, compared with 65% in 2010, an increase of 12.4% (Danchev, 2011). Vulnerabilities in PDFs jumped from 11 in 2008 to 39 in 2009 and increased to 68 in 2010, which was closely followed by 66 in 2013. According to Verisign, seven bugs were reported in 2007 for Adobe Reader, 14 in 2008 and 45 in 2009. Moreover, Flash threats continue apace and so does Adobe’s attempts to patch them. Adobe released Flash Player 17.0.0.188 on May 12, 2015 (Linux version 11.2.202.460). In addition to some cosmetic fixes, Adobe included several security fixes, which were categorized as “critical.” Photoshop is used to conceal and alter images and is also used to investigate images forensically. It has also become a tool of cyberbullies. The use of technology, such as Photoshop, to doctor images calls into question the believability of an image as a “document of social communication” (Pierini, 2015). In 2013, a breach was made possible by a vulnerability in ColdFusion that Adobe claimed could “be exploited to impersonate an authenticated user” (Gallagher, 2013). This research focused on the forensic value of some of the Adobe products as well as the means by which criminals use these products. Keywords: Cybersecurity, Professor Christopher M. Riddell, Adobe, Photoshop, PDF, Adobe Flash, ColdFusion, InDesign, Steganography. CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS iii Acknowledgements T hank you to Professor Christopher M. Riddell for the advice and assistance to make this report a success. A special shout-out goes to David Conway, my co-worker and editor at Florida Sportsman magazine, who went far beyond proofreading the words to asking pertinent questions and prodding me to fully explain the points I was making. Thank you Stanley Noneze. Stanley was my online Cybersecurity classmate and has become a friend of mine. Stanley encouraged me the entire way and kept me focused and tuned in to the cybersecurity world and I will be his second reader in Fall 2015. Thank you to Professor Steven Wray Wood for being my second reader all the way from Germany. To my wife, Sheila, who pretended to listen to me when I would emerge from the laundry room and exclaim: “Holy cow! Adobe just updated Flash again!” And to my sons, Collin and Jack, who introduced me to Zotero, a browser plug-in for creating citations and references, and for granting me access to his Indian River State College library account to access books I could not find online, respectively. But, above all, I would like to especially dedicate this report to Kenneth J. “K.J.” Moran, my brother-in-law, best man, co-worker, fencing instructor, positive influence, and my sister’s husband. K.J. passed away, at only 53 years old, on January 23, 2015. He will be sorely missed. iv THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE Table of Contents List of Illustrative Materials....................................................................................................vi The Malicious and Forensic Uses of Adobe Software...................................................1 Flash.................................................................................................................................................2 Photoshop......................................................................................................................................5 Portable Document Format (PDF)......................................................................................6 ColdFusion....................................................................................................................................6 Literature Review...........................................................................................................................8 Flash.................................................................................................................................................8 Photoshop.....................................................................................................................................11 Portable Document Format (PDF)....................................................................................18 ColdFusion.................................................................................................................................20 Adobe Cloud................................................................................................................................21 Discussion of the Findings...................................................................................................... 23 Flash.............................................................................................................................................. 24 Photoshop....................................................................................................................................37 Portable Document Format (PDF)...................................................................................30 ColdFusion................................................................................................................................. 32 InDesign...................................................................................................................................... 33 Future Research and Recommendations........................................................................ 34 References....................................................................................................................................... 38 Appendices......................................................................................................................................46 Appendix A – Current/Supported Adobe Products...................................................46 Appendix B – Discontinued/Unsupported Adobe Products................................... 47 Colophon.......................................................................................................................................... 47 CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS v List of Illustrative Materials Figure 1 – Poor Photoshop manipulation found in Victoria’s Secret catalog..............11 Figure 2 – Photo of Situation Room includes Hillary Clinton and Audrey Tomason..12 Figure 3 –Clinton and Tomason removed from image in Der Tzitung newspaper.......12 Figure 4 – Photoshop creation that looks realistic..............................................................13 Figure 5 – Time’s Photoshopped image compared to Newsweek’s original..............13 Figure 6 – Gilbey’s Gin advertisement showing suspected subliminal images.........14 Figure 7 – Satirical cover of Tiger Beat featuring President Obama............................14 Figure 8 – President Obama’s birth certificate.....................................................................16 Figure 9 – ColdFusion’s botnet control panel listing many entries for SecurePay.........21 Figure 10 – Error Level Analysis (ELA) shows image modification........................... 25 Figure 11 – Metadata from the Gaza photo uploaded to fotoforensics.com.............. 25 Figure 12 – Gaza mourners photo and ELA representation shows alterations....... 26 Figure 13 – Peter Guzil in New York—1997.......................................................................... 27 Figure 14 – Photoshop-enhanced image of rock formation appears to be a face.... 27 Figure 15 – Two-layer image created in Photoshop CC 2014........................................ 27 Figure 16 – Photoshop image saved as a PDF and opened in Adobe Acrobat Pro XI.. 28 Figure 17 – PDF, in Photoshop, retains the layers, which can be turned on and...... 28 Figure 18 – Acrobat’s Preflight does not show background image................................ 28 Figure 19 – Original PDF: Metadata: A Backdoor Into Organizations...................... 29 Figure 20 – Metadata of PDF viewed using Document Properties Acrobat Pro XI...30 Figure 21 – Wepawet analyzed PDF and reported it was clean......................................31 Figure 22 –Validly signed PDF and altered PDF, filtered through Photoshop.........31 Figure 23 – Metadata shows the PDF Producer for each document is different.....31 Figure 24 – Metadata derived from Adobe InDesign file................................................ 33 Figure 25 – Photoshop used to alter high school yearbook photo................................ 36 vi THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE The Malicious and Forensic Uses of Adobe Software C yber threats are a pervasive problem in society and many people invite them in without realizing that some of the commonly used computer programs and plug-ins are easy conduits for abuse. Flash, Photoshop, PDFs and ColdFusion are some programs used by an unsuspecting society the programs and are developed by Adobe Systems, Inc. Society also does not realize that criminals use these same programs to victimize them. According to Adobe, 99% of computers have Flash installed and 90% have Acrobat or Acrobat Reader (for viewing Adobe Portable Document Format files [PDF]) installed. This number is near universal use in the United States, but only 50% of computers in China and 25% of computers in Russia have PDF readers installed (Madrigal, 2012). Although the installation numbers of Adobe products are lower in some countries, it is universally natural to share PDF documents via email or downloads, view websites containing Shockwave Flash (SWF) videos or animation, or look at images that may have been altered with Photoshop. Adobe Flash and PDFs are common vectors that expose victims to malware, deception and obfuscation without their knowledge. The purpose of this research was to examine how certain Adobe programs and files are manipulated for deceptive practices. The most common programs and file types examined are Flash, Photoshop, PDFs and ColdFusion. This research also includes examination of some lesser known, but popular, programs, such as InDesign and Illustrator. The research will address the following problems and situations: • How are Adobe programs, primarily Flash, Photoshop, PDFs and ColdFusion used for forensics and criminal purposes? • What methods are used to manipulate files for the purposes of misleading people or altering perceptions? • What are some of the forensic signs of evidentiary tampering and how can authorities use this information to identify threats? Some Adobe files, such as PDF (created from many different Adobe and non-Adobe programs) and SWF (created with Flash), have been in use since the 1990s and are notorious for abuse. They can, however, provide a wealth of forensic evidence and authorities can use this information to identify threats and track down the sources. Adobe programs are typically used for benign purposes, but criminals have been able to hijack the programs, and the files created by them, to serve their malicious needs. Conversely, forensics analysts and law enforcement are using the Adobe programs to thwart the criminal threats. Since exploits via Adobe products are so pervasive, efforts need to be stepped up to be made to identify the threats and for law enforcement and analysts to learn the proper use of the tools to eradicate them. Symantec’s MessageLab released a report in 2011 that stated: CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 1 PDF files outpace the distribution of related malicious attachments used in targeted attacks, and currently represent the attack vector of choice, for malicious attackers compared to media, help files, HTMLs and executable files. PDFs now account for a larger proportion of document file types used as attack vectors. aApproximately 52.6% of targeted attacks used PDF exploits in 2009, compared to 65% in 2010, an increase of 12.4%. (Danchev, 2011) Adobe has been a large target for criminals for many years. The mid-2000s were especially bad years for Adobe. In the early part of the century, however, Microsoft was a large target and it remained so for several years. According to Verisign, seven bugs were reported in 2007 for Adobe Reader, 14 in 2008 and 45 in 2009. By comparison, bugs found in Microsoft products remained flat or declined in the same period. Wolfgang Kandek, the chief technology officer of Qualys said of Adobe Reader in 2009, “It’s a huge focus for attacks now, around ten times more than Microsoft Office.” As a result of its complex code and its ubiquitous nature, TippingPoint researcher, Padram Amini, says, “It’s a very good playground for exploitation” (Greenberg, 2009). Russell Wasendorf, Sr., the owner of Peregrine Financial Group in Iowa, used Adobe software for exploitation and was sentenced to 50 years in jail in 2012 for fraudulently reporting brokerage accounts of more than $200,000,000, when they only amounted to $10,000,000. Wasendorf required that bank statements from US Bank be sent directly to him, unopened. He would then use a combination of scanners, ink-jet printers, Microsoft Excel and Photoshop to create counterfeit statements before sending them to accounting (Meyer & Massoudi, 2012). Flash H In 2008, a phishing scheme, perpetrated by hackers, compromised 1,000 websites that served up a fake Flash Player. Users were duped into clicking a link in an email that purported to be from the Cable News Network (CNN). The email pretended to show the Top 10 News Stories of the day and alerted the user that their Flash Player needed to be updated. This exploit was made more maddening to the victims by the endless loop created when “cancel” was clicked and returned the user to the first dialog box and then back and forth again with seemingly no way out (Lightstream, 2008). Once executed, it would install a program named “Antivirus XP 2008.” The program was used to falsely claim that other viruses were detected and that the user needed to buy the full version in order to remove them. It would then install additional code that could be used for criminal intent as well (Harshbarger, 2008). Flash presents serious privacy concerns. Most websites will enable cookies to be downloaded to the user’s computer. Cookies are downloaded to the user’s system to keep track of preferences, clicks, visits, etc. Flash also has the abili- 2 istory is replete with flash exploits. THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE ty to download its own form of cookies, which operate, and appear, similar to HTML cookies. In fact, due to the similarity between Flash and website cookies, it is possible to “backup” website cookies with Flash cookies after the user has cleared their cookies from their source manually. Even with privacy set to block cookies, visiting sites and watching videos will download and store Flash cookies. On Windows systems, these cookies are found in %APPDATA%\Macromedia\Flash Player\#SharedObjects (Hofman, 2014). Typical web cookies store only 4kb of data, whereas Flash cookies, or “Local Shared Objects,” store 100kb of data. Unlike web cookies, LSOs are not visible through the browsers’ cookie manager (Brinkmann, 2007). Companies claim that they do not collect personal data, only aggregated data over time and that this data can then be used to create profiles. Several class-action lawsuits have been filed alleging that Flash cookies were collecting data against the claimants’ wishes. One claimant, Sandra Person Burns, of Jackson, Mississippi, states: I thought that in all the instructions that I followed to purge my system of cookies, I thought I had done that, and I discovered I had not. My information is now being bartered like a product without my knowledge or understanding. (Vega, 2010) Part of the problem is simply the public’s lack of awareness that such a thing exists. Emmy Huang, of Adobe, freely stated to the New York Times in 2009: “It is accurate to say that the privacy settings people make with regards to their browser activities are not immediately reflected in Flash Player” (Soltani, Canty, Mayo, Thomas, & Hoofnagle, 2009). Adobe Flash is a favorite vector of attack due to its wide use. This is compounded by the fact that many people are negligent in managing their patches and upgrades, making Adobe Flash ripe for mayhem (Krebs, 2015). Flash’s demise has been predicted for some time, but still maintains popularity as a web player. Even though YouTube is transitioning to HTML5, it uses Flash as a fallback for video playback. Google Chrome will default to HTML5, but other browsers, such as Firefox, will default to Flash (Yegulalp, 2014). The number of websites that include Flash components have been declining steadily. From January 2011 to May 2015, the top 1,000 sites’ inclusion of Flash have fallen from 50% to 34% (“Trends,” n.d.). Due in large part to the burgeoning mobile market, Flash will see its numbers continue to dwindle as more and more ads are converted from Flash to HTML5. Greater mobile device usage, without Flash, will eventually drive it out of use (Trautman, 2014). Flash usage on mobile devices is not increasing. On August 16, 2012, Adobe removed Flash Player from Google Play for Android devices. Android was the phone of choice over Apple’s iPhone, in part, because Flash was available for it. Adobe offered updates until September 2013 and it was not available for Android version 4.1 (Jelly Bean) or newer because it would, according to Adobe, CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 3 “exhibit unpredictable behavior.” Apple’s primary objection to Flash was that it was a mouse-and-point program and did not lend itself to the touch-and-drag environment of mobile devices. Additionally, Flash is a drain on mobile device batteries and did pose significant security risks (Duncan, 2012). Another drawback of Flash is that its code is a “closed container,” which makes it a dead end for Search Engine Optimization (SEO). When spiders and bots index websites and encounter Flash objects, they’re viewed as empty boxes. The Flash objects cannot be indexed and are useless for SEO (Rick, 2014). HTML5, on the other hand, is coded more like a webpage with searchable tags that can be embedded. Search engines can find and index these, making it much more search-friendly, especially when searching for a particular bit of content within a video (Trautman, 2014). Although Apple CEO Steve Jobs stated as far back as 2010 that Flash would be “no longer necessary,” it has been used since 1996 and has been installed and continues to be used by millions of people and it will continue to be a potential threat for years to come (M, 2010). Flash threats continue at a quick pace and so does Adobe’s attempts to patch them as they arise. Adobe released Flash Player 17.0.0.188 on May 12, 2015 (Linux version 11.2.202.460). In addition to some cosmetic fixes, Adobe included several security fixes, which were categorized as “critical.” A “critical” rating is: “A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware” (Campbell, 2015). Moreover, MITRE Corporation’s CVE Details website assigns this vulnerability its highest score of 10 because it can cause “Denial of Service Execute Code Overflow Memory Corruption” (CVE-2015-3090) and has 472 (as of June 2015) vulnerabilities to its credit. 2015 is on track to be the worst year for Flash exploits, trumping other years in the number of vulnerabilities with 94 so far. This number of exploits surpasses 2014’s record of 76, and, as of this writing, only half the year is over (Özkan, 2015). Adobe released another update to fix 13 new vulnerabilities on June 9, 2015. Version 18.0.0.160 fixed bugs that were not publicly exploited. These vulnerabilities could expose users of Flash Player to remote attacks that could allow hackers to access to the underlying system as well (Mimiso, 2015). Two weeks later, on June 23, 2015, Adobe released another Flash update to address security concerns. This exploit targets Internet Explorer running on Windows 7 systems and below and older Firefox installations running on Windows XP. This update was version 18.0.0.194, released for Windows, Linux and Macintosh users (“Security Updates Available for Adobe Flash Player,” 2015). On July 14, 2015, Adobe discontinued inclusion of Flash in Acrobat XI and Reader XI, with the release of version 11.0.12. Adobe’s Known Issues release explains: Acrobat and Reader no longer include Flash Player. Flash Player is necessary for Acrobat and Reader to display SWF files and Portfolio content in PDFs. If your system doesn’t have Flash Player, and you want to 4 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE display SWF files and Portfolio content contained in PDFs, install Flash Player. If you open a PDF that requires Flash, a dialog prompts you to download and install the latest Flash player. (“Known issues,” 2015) Photoshop P hotoshop, adobe’s popular photo-editing program, has been in use since the 1980s, when it was first developed in the basement of Ann Arbor, Michigan college professor, Glenn Knoll. In February 1990, Photoshop 1.0 was launched and changed the digital image landscape forever (Story, 2000). Photoshop is unique among Adobe programs, as it is a useful tool for criminals as well as for forensic analysts and law enforcement agents who can use it to track criminals and collect evidence. Photographic evidence is increasing in volume and complexity with the explosion of low-cost digital cameras, tablets, smartphones and other devices capable of containing a camera. This adds to the complexity of authenticating evidence in law cases. Lucy Thomson, writing for SciTech Lawyer explains how this technological advancement can be used for criminal intent and obfuscation: Were the records altered, manipulated, or damaged after they were created? Changes to photographs and videos can be made using Photoshop or graphic design programs, while hackers can alter websites, change databases, and other electronic media. Often they cover their tracks by changing audit log records. (Thomson, 2013) Because of the ubiquity and complexity of digital fraud, trained analysts are in demand. There are many resources available to train them in Photoshop’s forensic uses. The City of St. Paul, Minnesota posted a job opening for a Forensics Analyst. This position required Photoshop skills and other forensic skills for the Forensics Analyst position. The posting read, in part: “Utilizes Photoshop, Automated Fingerprint Identification Systems, lasers, cameras, analytical balances, and various chemical and physical latent print development techniques to develop and compare latent prints (Haugech, 2015).” Adobe’s Senior Solutions Architect, John Penn II explains Photoshop’s use in law enforcement: Sometimes, the critical clues are locked away behind sensor noise, poor lighting, blurry images or are in minute and hard to see details. Photoshop is a powerful tool in the hands of trained law enforcement, which can assist them in getting crucial information from digital media. (van den Bergh, 2013) Photoshop can be used to conceal or alter images and can be used to investigate images forensically. Photoshop is easy to learn for altering and investigating images. Fred Ritchin, founding director of the Documentary Photography and Photojournalism Program at the International Center for Photography in New CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 5 York City, warned that the use of technology, such as Photoshop, to be used to doctor images calls into question the believability of an image as a “document of social communication” (Pierini, 2015). Photographs are two-dimensional representations of a three-dimensional world. When examiners analyze a 2D image, specialized skills are needed to extract information that can only be seen from a 3D perspective. It is important that forensic analysts can convert a 2D depiction into a 3D perspective. For example, a car is parked at the scene of a crime. The image is viewed from the broadside of the car and shows the license plate, but the license plate cannot be read clearly. Photoshop’s filters can be used to “rotate” the scene to make the license plate readable. Photoshop has filters and plug-ins that allow examiners to enhance 2D images to show enough 3D detail and obtain the information desired. Photoshop’s “Vanishing Point” filter, for example, can be used to enhance 2D images enough to extract 3D perspectives from it (Farid, 2011). Portable Document Format (PDF) P as JPG images. It would be nearly impossible for anyone not to encounter a PDF file n the regular course of using a computer. Adobe founder John Warnock wrote about the promise of PDFs: df files are as common Imagine being able to send full text and graphics documents (newspapers, magazine articles, etc.) over electronic mail distribution networks. These documents could be viewed on any machine and any selected document could be printed locally. This capability would truly change the way information is managed. (Leurs, 2013) Warnock’s comment was prescient. PDFs have changed the way information is managed. They have also increased methods and frequency of information that is mismanaged. PDFs are one of the most common vectors of remote exploitation. Victims can easily be sent PDFs in socially engineered emails, links to PDFs attached to websites, and drive-by exploitation by adding malicious PDFs to victim-visited websites (“Current PDF Threats,” 2014). Vulnerabilities in PDFs jumped from 11 in 2008 to 39 in 2009 and increased to 68 in 2010, which was closely followed by 66 in 2013. For comparison, the popular Microsoft Word had three in 2008, one in 2009, 16 in 2010 and 17 in 2013 (Özkan, n.d.). ColdFusion C that is used for web development. It was developed in 1995 but is still widely used today. ColdFusion’s appeal is that it handles database management well and its coding language is familiar to web developers. ColdFusion allows developers to create large, enterprise-class applications. ColdFusion has been a target of hacks in the past. In 2013, a breach was made possible by a vulnerability in ColdFusion that Ado- 6 oldfusion is an adobe program THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE be claimed could “be exploited to impersonate an authenticated user.” One of the hackers reported directly that Linode (a New Jersey-based virtual private server provider), a victimized company, had been hacked weeks before the discovery. This leads to the question whether there were many more, undetected, hacks (Gallagher, 2013). Threats introduced through ColdFusion can have a negative effect on many people. Large corporate sites are built with ColdFusion framework and are used to collect personal data and financial information as a natural course of their Internet e-commerce systems. From 2013 to 2014, a hacking gang used Adobe ColdFusion vulnerabilities to build a botnet from e-commerce sites that were used to extract and collect customer credit card data. Several large companies were affected, including Smucker’s, SecurePay, and Minnesota-based Elightbulbs.com, which was notified of the breach from their credit card processor, Heartland Payment Systems, themselves a target of a large breach in 2009 (Krebs, 2014b). CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 7 Literature Review F or more than 30 years, Adobe Systems, Incorporated, has been producing software that is used by graphic designers, photographers, videographers, sound editors, writers, architects, marketers, web developers and just about every profession in the world. Former Xerox Palo Alto Research Center (PARC) employees John Warnock and Charles Geschke founded Adobe Systems, Inc., in 1982. The pair worked at the graphics and imaging lab and developed a system that renders type, lines and graphics on paper as it appears on a computer monitor. Dissatisfied with Xerox’ lack of interest in their project, PostScript, they left the company to create Adobe System which led to a revolution in electronic publishing and web development. (“Adobe Systems Inc - Early History,” n.d.). Adobe increased the usefulness of PostScript by developing a system to distribute documents similar in fashion to a fax, but with higher quality. In 1991, John Warnock released a proposal for “The Camelot Project” which was the precursor of the PDF. The goal of the Camelot Project was to develop a method to exchange visual communications between a wide variety of computers, operating systems and networks (Gitelman, 2014). Adobe products have become so ubiquitous that propriety eponyms have been derived from them: “Photoshop the image” to mean altering an image or “PDF it and send it to me” meaning to create a PDF from any number of programs (Swanson, n.d.). Flash A on society due to the widespread use of the company’s products. Symantec’s director of security response operations, Jonathan Omansky, says in his YouTube video, Adobe Flash: Zero Day Vulnerabilities: dobe software vulnerabilities have a large impact Flash, as we know, is one of the most widely installed software applications in the world on different browsers in both Windows and Macs. This makes the number of exploitable software browser platform combinations significantly higher than other vulnerabilities. (Omansky, 2015) Hackers make use of Flash’s SWF files as re-usable delivery systems. The SWF file format is used to target the correct area of memory on the computer and specifies the parameters for delivering the Trojans. Some of these attacks used the name “Elderwood.” Using a common SWF file, the hackers can then deploy a new trigger and the SWF guides the hack. These attacks can include creation of email accounts, registration of domain names, information gathering, and stolen information analysis (O’Gorman & McDonald, 2012). Flash exploits are so common and insidious that they are traded online amongst hackers. For a subscription fee, hackers can buy a “weaponized exploit” they can be plugged into websites of their choosing. In 2015, Flash was used to 8 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE deliver malware through advertising on popular websites, such as theblaze.com, nydailynews.com and dailymotion.com. The attacks target Windows users using Internet Explorer and Firefox. In the case of radio personality Glenn Beck’s #2 ranked political site, theblaze.com, malware was introduced via a Flash ad that redirected victims to a Polish recipe site which then was used to redirect advertising revenue directly to the botnet’s author. The use of advertising to introduce malware in this fashion is referred to as “malvertising.” This particular exploit went by the names “kazy” and “kryptik” (Belcher, 2014). The underlying threats are present in Mac and Linux versions as well. Google Chrome offers added protection due to its embedded security sandbox (Brodkin, 2011). Safari users can install the third-party plug-in, ClickToFlash, which prevents Flash from activating until authorized by the user to do so. Enabling automatic updates for Flash will keep up with the bug fixes when released (Cole, 2015). In July 2015, Alex Stamos, Facebook’s security chief, asked Adobe to discontinue Flash once and for all. “It is time for Adobe to announce the end-of-life date for Flash,” Stamos tweeted. Quickly following Stamos’ plea, Mark Schmidt, Mozilla’s support chief, tweeted that Flash will no longer be turned on in all versions of Firefox. Firefox users will now have to use another browser if they want Flash enabled. Schmidt did leave the door open for a return of Flash to Firefox, by stating, “To be clear, Flash is only blocked until Adobe releases a version which isn’t being actively exploited by publicly known vulnerabilities” (Goldman, 2015). System76, Colorado-based manufacturers of Ubuntu (Linux)-based desktop and laptop computers, announced on its blog July 14, 2015, that they will no longer be shipping systems with Flash pre-installed. They also recommend that their existing customers purge Flash from their systems by issuing the following via the Command Line Interface: “sudo apt-get purge flashplugin-installer.” They cite two reasons for doing this: First, Flash isn’t really needed to enjoy “the full web experience,” and secondly, “security, security, security.” They also recommend that customers wanting to continue using Flash do so with Chrome (Derose, 2015). Due to the rapid succession of Flash exploits and patches, a certain “Flash fatigue” has set in. There is evidence that hackers may be using Flash exploits to delivery crypto-ransomware as well. The threats have become so persistent that the best course of action for the public may be to disable Flash altogether (Goodin, 2015). Between May and June 2015, Adobe had issued three new updates, with two of them coming within two weeks of each other. Even after all of Flash’s vulnerabilities and the late Steve Jobs’ decision to exclude Flash from Apple’s mobile devices, Adobe defended its product and railed against its alternative: HTML5. In 2010, Adobe’s chief technology officer, Kevin Lynch, placed the blame on Apple’s obstinacy and predicted an early demise for HTML5. He wrote in his blog: Adobe supports HTML and its evolution and we look forward to adding more capabilities to our software around HTML as it evolves. If CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 9 HTML could reliably do everything Flash does that would certainly save us a lot of effort, but that does not appear to be coming to pass. Even in the case of video, where Flash is enabling over 75% of video on the Web today, the coming HTML video implementations cannot agree on a common format across browsers, so users and content creators would be thrown back to the dark ages of video on the Web with incompatibility issues. (Schonfeld, 2010) Adobe has come to accept that HTML5 will eclipse Flash as the de facto video player. Adobe has been addressing shortcomings in HTML5 to stay relevant in the mobile market. Adobe hosted worldwide “hackathons” to recruit and train web developers to improve on HTML5. Adobe has added HTML5 capability of Flash Professional and has developed its own HTML5 rendering program, Edge Animate. Edge Animate has a What-You-See-Is-What-YouGet (WYSIWYG) interface, support for audio, video, responsiveness, and key-frames without the need for plug-ins. With 99% of desktop browsers using Flash, Flash will be in use for some time, but Adobe has joined the HTML5 transition and has become one of its biggest supporters. With HTML5 “baked into” browsers, users will no longer have to download a separate plug-in, and as in the case with Flash, update it constantly to plug the frequent vulnerabilities that come with it (Minnick & Tittel, 2014). Due in part to its long lifespan, Flash continues to be a carrier of threats. McAfee Labs, a division of Intel Security released a report in May 2015 that showed the increasing threats due to Flash. In the first quarter of 2015, 42 new vulnerabilities were found, up from 28 in Quarter 4 of 2014. This is the highest number of vulnerabilities reported in a Quarter for Flash. The report points out that the increase in Flash vulnerabilities is due, in part, to “a steep increase in mobile devices that can play SWF files (Beeck, Matrosov, Paget, Peterson, Pradeep, Schmugar, Simon, Sommer, Sun, Surgihalli, Walter, Wosotowsky, 2015).” Exploits will continue as long as consumers and corporations fail to agree on standards of operation, update their software and systems, and learn about the threats and how to mitigate them. Complacency is a contributing factor that allows these exploits to continue. People take risks without taking simple precautions to avoid damage to themselves and their property. Complacency is so entrenched that some security teams do not even know, nor care, if they’ve been breached (“Cybersecurity complacency a leading cause,” 2014). A 2012 study conducted by Symantec stated that 83% of US companies have no formal cybersecurity plan (“New Survey Shows U.S. Small Business Owners Not Concerned,” 2012). Although Flash, and plug-ins in generally, are being phased out, many people will remain at risk due to their complacency and lack of knowledge concerning upgrades. There are updates foisted upon the general computer user constantly and many of these are ignored simply because people have no idea what they are or how to run them. The large variety of operating systems, 10 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE versions, browsers, plug-ins, add-ons and extensions creates a dizzying array of computer maintenance demands. There are so many options available that “calling the kid from down the street” to come fix a computer can be an increasingly daunting task that can result in more damage that it fixes. Chris Hoffman, writing for How-To Geek in 2014 explains it thus: The Flash plug-in will be with us for a while longer, as it is still in such wide use, but all other plug-ins are on the brink of irrelevance. Even Flash is becoming less and less relevant thanks to mobile platforms without Flash support. This is fine by most plug-in developers—Adobe has developed tools that export to HTML5 instead of Flash, Oracle probably wants the extremely insecure Java plug-in to go away and stop sullying their security record, and Microsoft is no longer interested in pushing Silverlight as a competitor to Flash. (Hoffman, 2014) Photoshop T he public can be oblivious as well as complacent. Figure 1 shows a manipulated photo from Victoria’s Secret that was produced poorly. It is apparent that the model is holding a handbag of some sort in her right hand, but the digital editor neglected to remove the straps. The tile on the floor behind where the bag was removed was also drawn back in poorly, and does not match the rest of the floor. Without having the original to compare it to, the general public would not be able to detect the alterations without closely examining the image or without having any forensic abilities (Krawetz, 2009). Alterations are more apparent if there is an original image to use for comparison. During the raid on Osama bin Laden’s compound in 2011, members of President Barack Obama’s national se- Figure 1. Poor Photoshop manipulation found in a Victoria’s Secret catalog. curity team monitored the raid in real time from the Situation Room in the White House. Present were Secretary of State Hillary Clinton and Counterterrorism Director Audrey Tomason, the only two women in the room (see Figure 2). The image was published in newspapers and on websites worldwide with those two women clearly in the scene. However, due to its Orthodox Jewish religious beliefs, the Brooklyn, New York-based Hasidic newspaper, Der Tzitung, Photoshopped out the two female officials from the image (see Figure 3). By altering the photo, the newspaper violated the terms of use issued by the White House that accompanied CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 11 the image on the photo-sharing site, Flickr. This was an example of Photoshop being used to alter reality to make the image fit into a group’s strict constraints. The newspaper defended its action in an email by stating: In accord with our religious beliefs, we do not publish photos of women, which in no way relegates them to a lower status... Because of laws of modesty, we are not allowed to publish pictures of women, and we regret if this gives an impression of being disparaging to women, which is certainly never our intention. We apologize if this was seen as offensive. (“Hasidic Newspaper Photoshops Hillary Clinton,” 2011) Technical skills and the software improvements have reached a point where it becomes almost impossible for people to distinguish the frauds created from reality. To illustrate this fact, Adobe published a tribute online to Photoshop by displaying images, some of which were real and others that were Photoshop creations. The website visitors were given the opportunity to determine whether the image was real or a Photoshop creation. It can be difficult, or even impossible, to determine whether a photo is real or altered just by looking at it. Often, the skills of the photo-manipulator are good enough to create realisFigure 2. Secretary Clinton and Director Tomason appear in the original photo. tic alterations. These could include techniques such as shadow realignment, foreground-background perspectives, color balances, and other subtleties. These techniques are difficult to detect by casual observation. Photos can be altered by adding elements from other photos or by enlarging or reducing elements of a photo to change perspective. Figure 4 shows an example of Adobe’s Figure 3. Secretary Clinton and Director Tomason Photoshopped images in which a removed from the image used in Der Tzitung. raw steak has been enlarged to create the illusion that the girl is about to eat an enormous slab of uncooked meat (Zhang, 2015). Manipulated images were thought to be an effective method to sell products through subliminal messages. “Subliminal Advertising” was a term developed by researcher James McDonald Vicary. He conducted experiments that purported to prove that movie theatres that flashed messages such as “eat popcorn” 12 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE or “drink Coca-Cola” would increase sales of their products. The results were astounding and led the Federal Communications Commission to ban “subliminal advertising” in 1974. The Central Intelligence Agency (CIA) was prompted by the “results” to write The Operational Potential of Subliminal Perception and to write their own plans to use subliminal messaging. When confronted with the results and asked to support them, Vicary admitted that he falsified the data. “Subliminal advertising,” if it existed or not, had no effect on buyers Figure 4. Photoshop creation that looks realistic. (Harley, n.d.). The CIA report states its perception of subliminal messaging: The desire here is not to keep him unaware of what he is doing, but rather to keep him unaware of why he is doing it, by masking the external cue or message with subliminal presentation and so stimulating an unrecognized motive. (Gafford, 1958) On June 27, 1994, Time and Newsweek ran O.J. Simpson’s mug shot on their respective covers (see Figure 5). Newsweek ran the photo as submitted. Time, however, used Photoshop to alter the image to make Simpson appear darker, and thus, more sinister. The graphic designer was instructed to make the image more “artful and compelling.” Time’s managing editor, James R. Gaines, regretted altering the photo after the backlash and the newsstand version of the magaFigure 5. Time’s Photoshopped image compared to zine was pulled from shelves and Newsweek’s original. replaced with the unaltered version of Simpson’s mug shot. The subscriber version was mailed to subscribers with the darker image, making those copies collector’s items (Arogundade, n.d.). Wilson Bryan Key built upon Vicary’s suppositions in his 1974 book on the subject of image manipulation, Subliminal Seduction. Key purported to see images embedded in marketing and advertising that were of a sexual, violent or occult nature. Key’s opinion was that these images were placed there on purpose. Many people were convinced that Key was correct but there many who were not. Key presented a lecture on subliminal advertising at Florida State University CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 13 in 1982. He failed to convince many in the audience with his evidence that led some to walk out. One of Key’s examples was a 1971 advertisement for Gilbey’s Gin (see Figure 6). The ice cubes in the glass are arranged so that the letters “S-E-X” are seemingly formed from the cubes. Key further describes the scene: Figure 6. Gilbey’s Gin ad showing suspected subliminal images. The melting ice on the bottle cap could symbolize seminal fluid—the origin of life. The green color suggests peace and tranquility after tension has been released. The modus operandi of the ad is to sell Gilbey’s through a subliminal appeal to latent voyeuristic or exhibitionistic tendencies within the unconscious minds of readers. The Gilbey’s orgy has also appeared on covers of several other national publications.” (Key, 1974, pp. 5-7) The technology has advanced a great deal since the 1970s. With cheaper, personal computers and computer programs such as Photoshop, manipulating images is much easier. Although people should now be more aware of how easily they can be fooled by manipulated images, the manipulators get away with it quite often. False images, just like false news stories from satirical sites such as The Onion, have made fools of people from world leaders and news organizations down to the common citizen. The New York Times was fooled when they accepted an altered, satirical Tiger Beat magazine cover featuring President Obama, alongside the Jonas Brothers and Vanessa Hudgens (see Figure 7), in what The Onion claimed, was an appeal to tween voters (who are not old enough to vote). The New York Times ran a “real” article on it (Fallon, 2012). Slate conducted an experiment in which they altered four images, took one out of context and mixed them Figure 7. Satirical cover of Tiger Beat featuring with real images to see how the im- President Obama. 14 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE ages affected people’s memories. One image showed President Obama shaking hands with Iranian President Mahmoud Ahmadinejad. The event never took place, but 26% of the respondents reported that they remember it when it happened (Saletan, 2010). Cynthia Baron, author of Adobe Photoshop Forensics, explains in her book’s introduction how easily society is duped: Although we are now more visually literate and skeptical about “photographic evidence” than our parents or grandparents, we can still be taken in by a good fake, especially if it’s a fake we want to believe. Perpetrators take advantage of that all-too-human weakness and wreak much damage before their trick is discovered. (Baron, 2008, p. xiii) One of the most malicious and common uses of Photoshop is counterfeiting. Photoshop is an ideal tool to use to create or enhance images of banknotes, identity cards, government forms, legal forms, historical records and other sensitive material that had been scanned or created digitally. Forensic examiners, with proper tools and training, can detect these types of frauds just as they did in the Wasendorf case. Adobe, at the behest of the government, added algorithms to Photoshop, from version CS2 and up, that can detect banknotes. It displays a dialog box that warns the user “this application does not support the printing of banknote images.” However, there are workarounds that can be employed. The user can first open the scanned image in Adobe’s discontinued image editor, ImageReady, and then import the file into Photoshop. The detection of banknotes is based on an imprint known as the EURion constellation (or Omron rings). EURion is a pattern of symbols, such as yellow dots, that are incorporated into banknotes to thwart counterfeiting efforts, via scanning and Photoshop (Tam, 2011). In 2011, Photoshop “evidence” was used in an attempt to bring down a sitting president. Douglas Vogt, an expert on scanners and image manipulating software, claimed that President Obama’s long-form birth certificate was a forgery created with Photoshop and was not an official document proving his “natural birth” in Hawaii. His evidence included “curved type” that “proved” that information was superimposed onto another document with image-manipulating software (see Figure 8). In his May 22, 2011 criminal complaint, Expanded Analysis of President Obama’s Certificate of Live Birth, Vogt claims: I have irrefutably proven that the Certificate of Live Birth that President Obama presented to the world on April 27, 2011 is a fraudulently created document put together using the Adobe Photoshop or Illustrator programs and the creation of this forgery of a public document constitutes a class B felony in Hawaii and multiple violations under U.S. Code section Title 18, Part 1, Chapter 47, Sec.1028, and therefore an impeachable offense. (Vogt, 2011) CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 15 In his complaint, Vogt specifies many examples of fraud and manipulation that support his claim. Focusing on the imaging forensics aspects of his claim, Vogt says that the Certificate of Live Birth (COLB) contains both binary (black-andwhite) and gray-scale images in the PDF that was presented by President Obama as proof of his “natural birth.” His assertion is that when documents are scanned, they are scanned as either binary (for text) or gray-scale (for images), but that this one contained both, which is “impossible.” He goes on to claim that the image contained straight and curved type, indicating that the Figure 8. President Obama’s birth certificate. original was scanned while it was still attached to a binder, which caused the paper to bend. The claim that the image was manipulated with Photoshop or Illustrator is easily refuted. Viewing the metadata of the PDF that the White House released, it showed that the PDF creator was “Mac OS X 10.6.7 PDFContext.” This would indicate that the PDF creator was anything but an Adobe product. Moreover, Adobe writes object IDs in numerical order but this PDF document was created with prefix and postfix numbering (Conspiracy, 2011). PDFs can contain a variety of images. Vogt’s assertion that the PDF cannot contain both binary and gray-scale images is refuted by the very nature of how PDFs use “adaptive compression” or “adaptive optimization.” Adobe’s help page on scanning paper documents, using a scanner and Photoshop to create PDFs states: Apply Adaptive Compression: Divides each page into black-and-white, gray-scale, and color regions and chooses a representation that preserves appearance while highly compressing each type of content. The recommended scanning resolutions are 300 dots per inch (dpi) for grayscale and RGB input, or 600 dpi for black-and-white input. (“Scan a paper document to PDF,” n.d.) Vogt’s claims against President Obama led to a cottage industry of what became known as “the Birther Movement.” The movement claims many wellknown celebrities and high-ranking politicians, including real estate mogul and 2016 Republican presidential candidate Donald Trump, Maricopa County, Arizona Sheriff Joe Arpaio, former Saturday Night Live comedian Victo16 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE ria Jackson, former Colorado Congressman and gubernatorial candidate Bob Beauprez and many others. The movement has its own website, birtherreport. com, as well as some spin-offs, and continues to claim that President Obama is not qualified to be President of the United States because of the “fake” birth certificate and for other reasons. The movement is extreme in its views and claims that acts of violence have been committed that help to advance its views of how malicious this perceived fraud has escalated. Victoria Jackson writes in her blog that the death of Hawaii Health Director Loretta Fuddy was related to Obama’s “fake” birth certificate and that she was killed as part of the larger “conspiracy” (Jackson, 2013). The Birthers believe President Obama was born in Kenya and raised as a Muslim. A posting by Jackson on the “evils” of Islam had this response from her fan “ThomasThePaine”: “We need to start killing Muslimes on sight!” What makes Jackson even more dangerous (in addition to her popularity as a media star) is that she seeks political power. In 2014, she lost her bid for a seat on the Williamson County (Tennessee) Commission. Along with Beauprez, (who lost his bid for Colorado governor to incumbent John Hickenlooper) this would have added two more birthers to the ranks of government (“‘SNL’s Victoria Jackson falls to incumbents,” 2014). However, Jackson does have a like-minded friend in Congress: Representative Bill Posey (R-FL). Representative Posey introduced HR 1503 in 2009, a failed attempt at a “Birther Bill” requiring presidential candidates to supply birth certificates, and any other “necessary” documentation upon filing to run. Jackson conducted an interview with Posey, who supported her claims about the Photoshopped birth certificate. Jackson was inspired by Posey and claimed that President Obama’s birth certificate was “the fakest birth certificate” she’s ever seen. The law would have become effective in 2012, the year of Obama’s re-election (Powell, 2011). The use of Photoshop has called into question legal precedents. In March 2001, Alfred Swinton was found guilty of the 1991 murder of Carla Terry, in Hartford, Connecticut. Terry’s body was found in a snow bank, partially clad and wrapped in a garbage bag. Examiners found what appeared to be teeth bite marks on her breast. During his trial, the defense argued that the Photoshop evidence presented was “altered” and that the technology’s veracity needed to be established. New rules, based upon the American Oil v. Valenti case, that adopted rules of federal procedure to establish foundation, adjudicated years earlier, led to the Swinton Six characteristics (Crowsey, n.d.). The Swinton Six characteristics, as defined by the Connecticut Supreme Court, are: 1. The computer equipment is accepted in the field as standard and competent and was in good working order 2. Qualified computer operators were employed 3. Proper procedures were followed in connection with the input and output of information CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 17 4.A reliable software program was utilized 5. The equipment was programmed and operated correctly 6. The exhibit is properly identified as the output in question (Hoerricks, n.d.) The admission of digitally “enhanced” images has been brought into question in courts of law. For any digital evidence to be deemed worthy, the qualifications and competency of the digital technician must be beyond reproach. Moreover, the prosecutor and defense attorney must have a high enough level of expertise to evaluate and present the evidence. In 1994, digitally enhanced evidence was presented to the court in the case of The United States vs. Mosley. Maurice Mosley was charged with six counts of bank robbery. An FBI agent testified that he took a still image from the video surveillance tape that recorded Mosley committing the crime and enhanced it. The agent was then able to detect a mark on Mosley’s face that matched a mark on his booking photo (Hak, 2003). Mosley was convicted of bank robbery and appealed his conviction. In his appeal, Mosley asserted that the government erred in allowing FBI Agent Douglas Goodin’s enhanced photographic evidence. In a Memorandum, the Ninth Circuit Court ruled: Goodin, an agent with the Federal Bureau of Investigation, testified that he had subjected a bank photo of the robbery to digital imaging processing, a procedure that sharpens pictures. He informed the jury that, after sharpening the photo, he was able to detect a mark on the face of the robber. He then compared this mark with a mark on Mosley’s face, which was visible in an arrest “booking” photograph, and described their similarities. The district court reasonably concluded that this testimony would assist the jury. (Appeals & Circuit, 1994) Photoshop is also a useful tool for law enforcement when examining photographic evidence of a crime scene. Photoshop’s “Vanishing Point” filter can be used to “rotate” a scene to make objects that are skewed become clearer. Photographs are two-dimensional facsimiles of reality. It is not possible to “look around the corner” in a photograph, but it is possible to use Photoshop to achieve similar results. By using a combination of filters and commands, the examiner can select an object, such as a license plate or a billboard, apply the Vanishing Point filter and “rotate” the object into view to make the information on it readable. It may not be possible to achieve this if there is not enough information to begin with. Contrary to depictions on television, it is unlikely that a reflection in a pair of glasses will yield enough pixels to “reassemble” the object in question (Farid, 2011). Portable Document Format (PDF) M alware in pdf files has become pervasive. With ease of creating, disseminating and opening PDFs, this document format is ripe for exploitation. It is very common for a person to receive PDF files via email, sometimes from 18 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE known sources and sometimes from seemingly innocuous sources. A mass email with a malware-infected PDF can be sent to thousands of people in seconds, with the effects not always realized once the PDF is opened. In the last few years, PDF attacks have doubled year-after-year (Shaw, 2013). Malware is commonly introduced into PDFs by JavaScript actions. These actions are launched when the PDF is opened or printed. There are many tools available to analyze PDFs, both online and offline (Du, 2013). PDFiD is one such open source tool for malware analysis and forensic examination. PDFiD examines PDFs to find instances of suspicious strings, even if the strings are obfuscated. PDFiD reduces large sets of PDF files into manageable sets, and separates the benign PDFs from the malicious ones. PDFiD can detect what a PDF file is capable of executing. Moreover, a tool such as Didier Stevens’ PDFparser can be used to see what tool actually executes (Morra, 2013). For forensics analysts and law enforcement, there are several methods available to analyze PDFs for either malicious code or for intelligence gathering. The metadata stored within a PDF can provide some basic clues as to the creation and modification dates, the originating program, and sometimes the creator’s name. Additional metadata can also be found if the user entered the information manually, such as description, writer, keywords, etc. Non-professionals and casual users of PDFs can benefit from open source tools to work with PDFs. PDFs can have varying levels of security added. A user can password-protect a PDF and deny the recipient taking actions except viewing it. Printing, copying and editing are prohibited without the correct password. The user who protected the document can benefit from open source tools as well. An old PDF is retrieved with password protection, but the user has forgotten the password. In Acrobat’s Document Properties dialogue, the security settings can be reviewed. Here, it lists the settings, such as “password security” and the functions that are forbidden. It reports the encryption level, such as 128-bit RC4. A PDF of this type can be uploaded to the browser-based tool, Unlock PDF, which strips the password from the PDF and returns it to the user. The PDF can now be manipulated of the user’s choosing (Stofer, 2015). McGladrey LLP, an accounting firm with more than 8,000 employees based in Minneapolis, Minnesota, has streamlined their document workflow to focus on Adobe Acrobat PDFs. Matt Corcoran, McGladrey’s desktop manager, describes the challenges and complexity of their document management routine: We are very geographically dispersed—and, as part of our entrepreneurial culture, users here are free to purchase or download tools in addition to our standard software image to meet their needs. To support our substantial use of PDF, our accounting professionals had acquired a mix of many different versions of Adobe Acrobat software, as well as other PDF applications. (McGladrey LLP, 2011) CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 19 ColdFusion C oldfusion is an adobe program that is used for web development. It was de- veloped in 1995 but is still widely used today. ColdFusion’s appeal is that it handles database management well and its coding language is familiar to web developers. ColdFusion allows developers to create large, enterprise-class applications and is used frequently by large corporations, government agencies and other institutions that maintain large databases that integrate with the Internet. ColdFusion is adaptable and can “talk” to other applications, such as .NET, Java classes, and legacy connectivity such as COM and CORBA. ColdFusion is a useful tool for creating forms. Forms can be coded just like in any other web development tool, but ColdFusion offers added validation options without adding unnecessary complexity (Hughes, n.d.). ColdFusion is a target for hacks. In 2013, a breach was made possible by a vulnerability in ColdFusion that Adobe claimed could “be exploited to impersonate an authenticated user.” One of the hackers reported directly that Linode (a New Jersey-based virtual private server provider), the company victimized, had been hacked weeks before the discovery. This could be an indication that there were more hacks that went undetected. The element that was attacked is “cflogin,” its user authentication component. With this exploit, hackers were able to access Linode’s server and source code. In response, Linode issued a statement in a blog post: No evidence decrypted credit card numbers were obtained and the encryption key for credit card data was not stored on the server and was not guessable, sufficiently long and complex, not based on dictionary words, and not stored anywhere but in our heads. (Gallagher, 2013) The ColdFusion breach of 2013-2014 that affected Smucker’s and SecurePay acted similarly to that of the ZeuS virus. It would siphon information by slurping up passwords stored in the victim’s browser cache and conduct “form grabbing,” which is intercepting data entered into a form field before it has been encrypted and sent across the Internet to its destination. As victims were going through the online checkout process at Smucker’s, the virus would collect names, addresses, phone numbers, credit card numbers and verification codes (CVV). This virus confirmed an important aspect of Web security, in that no transaction is secure if only one end is compromised. This same group is believed responsible for its attack on ColdFusion’s own publisher, Adobe Systems, Inc. The control panel of the botnet includes the names of many companies. Some of them were reported infected in August 2013 and were still active up to, at least, March 2014, according to Brian Krebs. The botnet did infect at least one company that was driven out of business: TechnoCash.com.au. TechnoCash was also involved in an online drug bazaar on SilkRoad and under indictments from the United States Department of Justice. Georgia-based SecurePay, whose assets were acquired from Pipeline Data 20 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE Figure 9. The ColdFusion’s botnet control panel listing many entries for SecurePay. by Calpiancommerce.com, was heavily represented in the botnet’s control panel (see Figure 9). Pipeline’s New York data center had been running an outdated version of ColdFusion. When asked about the breach by Brian Krebs, CEO Tom Tesmer responded by saying, “We’re not aware of compromised cards.” When Krebs presented him with 5,000 records showing what the hackers stole, Tesmer confirmed the attacked and responded: That warning showed up while the system was not under our control, but under the control of the folks up in New York. We fired that alert over to the network guys up there and they said they were going to block that IP address, and that was the last we heard of that. (Krebs, 2014a) Adobe Cloud I 2012, Adobe launched the Adobe Creative Cloud. This move transitioned Adobe from selling perpetual licenses for boxed software to offering their programs on a subscription basis. Users pay a monthly fee, based on whether the user is a student, or a business, or some other specific entity. Subscription fees are priced from $10/month for individual use of Photoshop up to $80/month for the complete Creative Cloud set which includes Adobe Stock Photos (“Discover the Creative Cloud,” 2015). With the subscription, users can sign in to their Adobe account online and download almost all the Adobe programs they want. In the past, a user would, for example, purchase InDesign in a box and then Photoshop, Illustrator, etc. Adobe also offered different software collections for print designers, web designers, etc. With the subscription, a typical print designer using InDesign can experiment, at no additional cost, with sound software, such as Audition, video editing with After Effects or web animation with Edge Animate. Many balked at the idea of continually paying Adobe to use their products, but after three years in service the complaints have diminished and it has become a part of digital life (Shankland, 2012). Along with all this expansion, subscriptions and transitions to the cloud created problems for Adobe and its customers. In 2013, Adobe was hit with a massive cyber attack that impacted at least 38 million Adobe users. The attack led to the reported theft of three million credit card records and tens of millions of user accounts. Shortly after the attack, a 3.8Gb file, “users.tar.gz,” n CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 21 was posted on AnonNews.org (an anonymous news-posting site) that contained 150 million usernames and hashed password pairs stolen from Adobe. Along with the account theft, hackers stole the source code for Acrobat, Acrobat Reader and ColdFusion. A password-protected file was uploaded to anonnews.org with the name, “ph1.tar.gz.” Forensic experts were not able to crack the password. A newer file, with the same name and without protection, was later posted containing the source code for Photoshop. Adobe offered its affected customers free credit protection for a year. The protection was offered through Experian, which was earlier tricked into selling consumer records to an online identity theft service (Krebs, 2013). Stealing customer data and software source code is a lucrative undertaking for several reasons. Obviously, stealing credit card information or user login information gives the hackers access to personal financial data. Source codes are commodities that can be sold and traded on the dark web. With the source code, hackers can develop exploits and sell those to others for a fee. A zero-day exploit (an first-used exploit that has not been previous employed) could be sold for $50,000. Having the source code allows the hackers to find more vulnerability for later use. In the case of the stolen ColdFusion source code, the hackers could compromise web servers at will (Higgins, 2013). Photoshop and Acrobat are both available through the Adobe Creative Cloud subscription service for 30-day trial periods. This makes using the programs, and experimenting with them, very convenient and cost-effective. Adobe software is designed to work together. Whether one works in Photoshop, Illustrator, InDesign or Audition, the commands and interface are all similar and transferring assets between them is a mostly seamless process (Perhiniak, 2012). Along with Photoshop and Illustrator, Adobe InDesign is an application used by the majority of graphic designers and publishers for page layout. QuarkXPress was, for many years, the de facto tool of publishers, but Adobe took over the larger share of the market with InDesign even though QuarkXPress had a 95% share of the market when InDesign debuted (Girard, 2014). InDesign hasn’t presented the forensic challenges that PDFs, Flash, ColdFusion and Photoshop have, but it is interesting to note that, even in this seemingly innocuous program, there is metadata embedded that can be analyzed (Wheeler, 2008). 22 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE Discussion of the Findings T was to examine how certain Adobe programs and files are manipulated for criminal intent. The most common programs and file types examined are Photoshop, Acrobat, Flash, and ColdFusion but covers some of the lesser known, but popular, programs, such as InDesign and Illustrator and others. The research will address the following problems and situations: How are Adobe programs, primarily Photoshop, Acrobat, Flash and ColdFusion used for forensics and criminal purposes? What methods are used to manipulate files for the purposes of misleading people or altering perceptions? What are some of the forensic signs of evidentiary tampering and how can authorities use this information to identify threats? Adobe’s large number of programs and online subscription systems will lead to more opportunities for threats and more opportunities to use the programs to thwart those threats. Adobe has gone beyond creating applications for design, such as InDesign and Illustrator. It now includes the Adobe Marketing Cloud, used for marketing and analytics, to compete against IBM, SalesForce and Oracle in the cloud marketing market (Koetsier, 2014). It has also added solutions for designers to host their creative portfolios with its acquisition of Behance, which is described as the “LinkedIn for artists” (Dillet, 2012). Adobe’s data breach in 2013 could have affected 150,000,000 records, far larger than previously reported numbers of 38,000,000 (Ducklin, 2013). Adobe warned their customers by sending users an email explaining what had happened and that they had reset the users’ passwords and included a link in the email to a password reset. Clicking a link in an email, especially if you weren’t expecting such an email, is an invitation to being hacked due to user complacency. As “StephenJ798” quipped in a comment on Kelly Higgins’ post on InformationWeek’s Dark Reading site, “Hacking the Adobe Breach”: he purpose of this research Can I add that Adobe compounded their lack of security by sending unexpected emails to 3 million people with a request to change their security details by clicking on a link in the same email? I cannot confirm that anyone has used this fact to try to get login and other information from Adobe users but since support on the Facebook page is basically saying “just click on the link” we have to hope that they will be getting an email with the right link. If you see nothing wrong in what Adobe has done then you are advised to reset your PayPal Password here. (StephenJ798, 2013) What makes the Adobe breach more troubling is that many people re-use passwords from account to account. For all the passwords used in the Adobe accounts, and the records associated with them, duplicates of this information appear in other systems, sometimes many times over. Even though Adobe required password resets after the hack, those duplicate passwords are used CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 23 elsewhere. As a result, many people who changed their Adobe password have not chosen to change them across all accounts, which allow the hackers to hack many other accounts, via just one channel. Unfortunately, many people do not practice safe password habits when choosing their passwords. “Password” is a common password and so are regular dictionary words, which can be guessed or gleaned through social engineering. Two-factor authentication is a better way to proceed. With this method the password is teamed-up with another form of identification (Levin, 2014). Flash F lash is one of the most widely installed software applications in the world and is found on different browsers for both Windows and Macs. Hackers make use of Flash’s SWF files as vectors of re-usable delivery systems. This makes the number of exploitable software/browser/platform combinations significantly higher than other vulnerabilities (Omansky, 2015). McAfee Labs, a division of Intel Security, in its May 2015 report states: the increase in Flash vulnerabilities is due, in part, to “a steep increase in mobile devices that can play SWF files (Beeck et. al., 2015).” McAfee’s statement about Flash exploits increasing due to mobile use is over-stated. Although it is possible, in certain circumstances, to play SWF files on a mobile device, it requires third-party add-ons, and will play SWF files from an SD card. There is no widespread “user-friendly” method of playing SWF on mobile devices that the general public would use. The Google Play app store does not carry an Adobe Flash Player. It states on the download page for the third-party app, SWF Player by BitLabs LLC: Play your flash files (SWF) from your SD-card with this simple player. This app is a Flash file viewer. You need to install Flash® Player Plugin to use this app to play your SWF Flash files. You can play your Flash animations, apps and games with this Flash file viewer. Adobe discontinued the Flash® Player Plugin for mobile devices, but with SWF Player you will be able to play your SWF Flash files. (SWF Player, 2014) Playing SWF files on an iPhone is a challenge. Since iPhones do not support Flash, users need to use third-party systems to circumvent the block. Jihosoft offers third-party solutions, such as Cloud Browse, which is a paid web browser that uses a virtual Firefox platform. The company also offers a converter that users can use to convert Flash to MPEG-4, which will play on an iPhone. Solutions like this diminish what iPhone users want in their device: a simple, ready-to-go device for all their communication and entertainment needs. Requiring users to find, install and troubleshoot extra programs to view Flash files is not a practical solution (“SWF to iPhone - How to Play Flash SWF on iPhone 5,” n.d.). 24 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE Photoshop P hotoshop, by itself, is not generally used as a vehicle for malicious code. Threats perpetrated with Photoshop are targeted to the mind. Image manipulation preceded Photoshop and the digital age, but Photoshop has certainly made the results of manipulation much more realistic and believable and has made the chore much easier to perform. Before the advent of Photoshop and computers, image manipulation was an arduous process that required hours of work manipulating images manually with airbrushes and ink. There are methods to detect image manipulation conducted with Photoshop. One telltale sign of image manipulation is Error Level Analysis (ELA). ELA works by resaving im- Figure 10: Error Level Analysis (ELA) shows image ages at a 95% compression rate. The modification. changes that are introduced are then calculated and areas of manipulation show up brighter as they deviate from the original (“Photo Forensics,” 2013). The image from the Victoria’s Secret catalog was changed quite extensively as illustrated by the changes highlighted in white. The entire dress was modified, and, as it has selectable colors on the original website, the color visible in the image is not that of the original (see Figure 10). Error Level Analysis can be performed online at fotoforensics.com. By uploading a JPG or PNG image to the site, the image is analyzed for ELA. The image’s metadata is also reported. The user also has the option to select TinEye (“TinEye Reverse Figure 11: Metadata from the Gaza photo that Krawetz Image Search,” 2015), a web uploaded to fotoforensics.com. service (tineye.com) that can be used to find any similar images online (“FotoForensics,” n.d.). In 2013, a photo of mourners in Gaza (“Gaza Burial”), by Paul Hansen, was selected as the World Press Photo of the Year-Spot News (“Gaza Burial, by Paul Hansen,” n.d.). Experts were suspicious of the photo’s authenticity as they detected unusual light and shadows for the time of day it was purportedly taken. Two forensics experts arrived at different conclusions. Neal Kawetz concluded CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 25 that there was significant alteration to the image and that, based on the XMP metadata, the image was comprised of four different images (see Figure 11). Forensic analyst Hany Farid concluded that the photo (see Figure 12) did go through alterations but it was no more than “burning and dodging” to adjust lightness as evidenced in Figure 12 (Anthony, 2013). Using Photoshop for dishonest purposes has been employed for many years and makes it very easy to perpetrate, leading many people to believe what they are seeing to be true until proven fake. One wellknown Photoshop fake, and maybe one of the most insensitive, was the “911 Tourist.” In the photo, a man is seen standing by a rail on the Figure 12: The Gaza mourners photo (left) and the ELA Twin Towers as one of the hijacked representation that shows extensive alterations (right). planes approaches (see Figure 13). The photo was meant as a “joke,” and was taken by Hungarian tourist Peter Guzil, who was in New York in 1997 (four years before the attack). He Photoshopped the plane into the scene (note the timestamp.) The image spread virally via email (“Famous Photoshopped Fakes,” n.d.) Viewing photographs is a personal experience that gives them emotional credibility. People associate images with personal experiences, values, biases and assumptions causing a wide range of emotions to be exhibited. Cynthia Baron writes in her book Adobe Forensics: We can feel the visual punch of a scene in a photo, on video, or on TV hundreds of miles and years away. People who experienced the collapse of the World Trade Center on television know how completely the event overwhelmed the physical space they were in as they watched. (Baron, p. 28, 2008) People are adept at recognizing patterns. German Neurologist and Psychologist Klaus Conrad described this tendency as “apophenia,” a type of “psychic thought process.” Science historian Michael Shermer uses the term “patternicity.” In either case, apophenia is used to describe the phenomenon of seeing faces, particularly in unlikely places. There are many reports of seeing the face of Jesus Christ or the Virgin Mary in burnt toast, shower mold, motor oil or tree bark. 26 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE Similar to Wilson Key’s “subliminal persuasion,” people see what they want to see (Poulsen, 2012). In 1976, the Viking Mars Orbiter sent back an interesting image from its flyover of Mars. When the area known as Cydonia Mensae was examined, something curious was detected (see Figure 14). Photoshop’s Dust and Scratches and Despeckle filters were applied to the image and then adjusted with Curves, and Figure 13: Peter Guzil in New York—1997. what appeared seemed to be the face of an “Egyptian god.” The Martian god is only a fanciful interpretation of reality as are the sightings of Jesus in breakfast foods. Cynthia Baron explains, “It takes very little detail for us to form high-contrast shadows and reflections into features” (Baron, p. 323, 2008). Photoshop and Acrobat are both available through the Adobe Creative Cloud subscription service for 30-day trial periods. This makes using the programs, and experimenting with them, very convenient and cost-effective. Using a combination of Photoshop and Acrobat, images can be altered and hidden effectively. Figure 15 shows a two-layered image in Photoshop CC (2014). The bottom (background) layer is an image of a golf course. The secondFigure 14. Photoshop-enhanced image of rock formation on Mars appears to be a face. ary layer is a solid black overlay. The file is saved from Photoshop as a PDF and then it is opened in Adobe Acrobat Pro XI (see Figure 16). Although the image contains the golf course and the black overlay, only black is seen when opening the PDF in Acrobat. When the PDF is opened in Photoshop, it retains the layers, the black overlay can be unchecked, and the golf course is revealed (see Figure 17). This is a simple way to hide an image and send it as a PDF without drawing suspicion. If the PDF is intercepted and opened in Acrobat, the only Figure 15: Two-layer (yellow circle) image created in thing that would be visible is Photoshop CC (2014). CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 27 the black overlay. The recipient would need to use Photoshop to be able to open the image and show the layers. Acrobat’s Preflight panels do not reveal the presence of the golf course image (see Figure 18) (Macharyas, 2015). Another method of hiding information is with OpenPuff. OpenPuff can hide data in severFigure 16: The Photoshop image is saved as a PDF and al types of carriers, such as JPG, opened in Adobe Acrobat Pro XI. MP3, etc., and send it to the unsuspecting recipient. Without knowing the information is in there, an interceptor wouldn’t know to look for it. The recipient would have to have OpenPuff and the authentication to extract it (Zuckerman, 2013). For several years, Photoshop has been an essential forensic tool for examiners and law enforcement personnel. A cottage Figure 17: PDF, in Photoshop, retains the layers, which can be industry has arisen to meet the turned on and off (yellow circle) to reveal the hidden image. training demand. Companies such as Rocky Mountain Training offer Photoshop for Forensic Personnel courses for $600 (“Discover new dimensions in digital imaging,” n.d.). Training opportunities for most Adobe products, and in particular, Photoshop, can be taken through Massive Open Online Course (MOOC) providers, such as Udemy (“PhoFigure 18: Acrobat’s Preflight does not show background toshop Training Course,” n.d.), image. Alison (“Online Photoshop Classes,” n.d.), freelance graphic designers on Craigslist (“Learn Graphic Design using Adobe Photoshop - $200!!!,” 2015), or from Adobe itself (“Photoshop CC tutorials,” n.d.). The MOOCs offer certifications of completion, but Adobe offers its own, highly valued, certifications. Beginners can earn the Adobe Certified Associate (ACA), advanced users the Adobe Certified Expert (ACE), and those 28 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE looking to teach Adobe, the Adobe Certified Instructor (ACI) (“Adobe Certified Expert Training,” n.d.). These courses, and certifications, are valuable for forensic examiners and law enforcement to add credence to their claims when analyzing images or presenting them as evidence in court. Adobe Certified Experts are unique. A search of Photoshop ACEs in Florida returns only 29 results, the District of Columbia, zero (“Adobe Certified Expert Finder,” n.d.). There are many books and CD guides for examiners to learn the workings of Photoshop, such as Jim Hoerricks’ Forensic Photoshop (Hoerricks, 2008). Hoerricks claims that Photoshop can withstand a “Swinton Six” challenge. The Swinton Six refers to a 2004 Connecticut legal case, State v. Swinton, in which Photoshop was used to create demonstrations of bite mark overlays that showed that the defendant had bitten the victim (Guthrie & Mitchell, 2007). Photographic evidence must pass the test of fairness and completeness. Prior to digital photography, film images had to pass this test as well, as physical photographs could be altered, cropped, resized and distorted much like digital images. For digital images to pass the test, the following checklist was developed by Veronica Blas Dahir, manager of the Center for Research Design and Analysis at the University of Nevada, Reno (“Veronica Blas Dahir,” n.d.): 1. Completeness—Completeness of the photo is a common objection with digital photos due to the rampant availability of cropping capabilities. a. Cropping—is the photo unfairly cropped in the context for which it is used? b. Can a small version of the photo be juxtaposed next to an enlarged cropped portion? 2. Unfairness—Does the use of digital enhancement software raise unfairness concerns because of: a. Resizing b. Reshaping c. Cropping d. Changes to lighting e. Changes to color f. Enlargements (e.g., to a size larger than life) (Dahir, p. 109, 2011) Law enforcement, globally, will use Photoshop to hide their misdeeds. In 2013, four men were arrested for armed robbery in Greece. The media photographed them at the scene of the crime and it was evident that the police had roughed them up. When the mug shots were released a few days later, the suspects’ wounds were no longer apparent. Similar to Slate’s experiment in which 26% of respondent “remembered” a non-existent handshake between Presidents Obama and Ahmadinejad, the Greek officials were expecting the public to accept their altered reality just because “they said so.” Public Order Minister Nikos Dendias did admit that the images were Photoshopped, but only to make the men “more recognizable” to the public (Feinberg, 2013). CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 29 Portable Document Format (PDF) C of a PDF file is not very complicated and it can yield a lot of data, which can be used to create connections using open source tools or the Internet. Metadata in PDF files is easy to view. Although there are several metadata tools, such as PDFwalker, PDFid, and PDFmetadata, simply checking the PDF’s Document Properties can provide a lot of information. In the PDF, metadataadvisor.pdf (see Figure 19), downloaded from msisac.cisecurity.org, the Properties Panel show the program that created it, the author of the document, the date it was created, and more. The metadata in the PDF shows that Margaret Morrissey created it. Morrissey used Microsoft Word on a Mac on October 24, 2011 at 2:45:39 pm. That information was useful in “following the trail” to find the actual person who created the document, as her name does not appear in the PDF content. With the name extracted from the metadata (see Figure 20), the location (Albany, New York) referenced in the document, and “cybersecurity initiatives” in the text, it is evidenced that the author of the PDF is Margaret Morrissey, Executive Assistant, New York State Cyber Security, Albany, New York, www.cscic.state.ny.us (Morrissey, 2011). Figure 19: PDF document: Metadata: Wepawet is a free online tool that can be A Backdoor Into Organizations. used for forensic examination of PDFs. The Morrissey PDF was uploaded to wepawet.org for analysis. The free online service returned a report showing that metadataadvisory.pdf was free of exploits (see Figure 21) (Cova, Kapravelos, Fratantonio, Kruegel, & Vigna, n.d.). Digital signatures are a way of validating the authenticity of PDF documents. It is easy to digitally sign a PDF by providing a name and email address. Once the document has been digitally signed it cannot be modified (Segura, 2013). However, the PDF can be opened in PhoFigure 20: Metadata of PDF viewed with toshop and some changes can be made. The the Document Properties function in Acrobat Pro XI. headline was removed in the example and saved back as a PDF (see Figure 22). Once opened in Acrobat, it appears to be a valid, digitally signed PDF. The giveaway is if the reader tries to view the signing certificate and is unable to do so. But, the altered PDF looks just like one would expect it to without conducting any basic forensics on it. 30 onducting a forensic examination THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE If one were to view the Document Properties of the altered and unaltered PDFs, it would be obvious there is a difference (see Figure 23). Ms. Morrissey, using her Mac OSX 10.6.8 system, created the original PDF file. The altered PDF was produced via Photoshop. To the casual observer, this information would probably never be investigated and the fraudulent PDF would be considered authentic and correct. As diligent as forensic examiners can Figure 21: Wepawet analyzed the PDF and reported it was clean. be, it is sometimes not entirely possible to be certain of the results. In the Obama Birth Certificate controversy, the document was examined right down to the binary code to try to determine if it was fake or not. There is still some doubt about its validity based on the metadata found in the Figure 22: Left: Validly signed PDF. Right: Altered PDF, filtered through Photoshop, after the headline was removed. PDF that the White House provided. WorldNetDaily writer Jerome Corsi posted a PDF document based on research conducted by co-conspiracy theorist, Garrett Papit, that makes a case that, even though the PDF producer was identified as a non-Adobe producer, it is possible that an earlier iteration, before it was “Saved As…” by the White House from Mac PreFigure 23: Metadata shows the PDF Producer for each document is different, indicating that it had view, could have been manipulated been altered. with an Adobe program, such as Illustrator. Papit conducted an experiment in which he took a Hawaiian birth certificate, manipulated it with Illustrator and saved it as a PDF through Mac Preview to show that no Adobe metadata was retained (Papit, 2012). Papit and Corsi, along with Sheriff Arpaio and Donald Trump, have been using the “fraudulent birth certificate” against President Obama for years simply to make political points and feed their conspiracy-crazed ideals. Common citizens CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 31 and forensic examiners can use Adobe software for many benign purposes, but the tools themselves can be perverted to present a political view of the user’s choosing. This tactic can easily backfire, however. Now that Donald Trump is himself a presidential candidate, he has been asked to provide his long-form birth certificate, just as he demanded from President Obama. Trump refused (Gabbatt, 2015). Trump staffer Michael Cohen, responded to the Guardian’s request for the document as the paper trying to “be funny” and that the request was “stupid” (Gutentag, 2015). Donald John Trump claims to have been born June 14, 1946, in Queens, New York. Whether he was or wasn’t we may never know, but a new army of Adobe-armed cybersleuths will be ready to take up the call and analyze every pixel and string of code in any document Trump may produce. ColdFusion W WordPress, Joomla, Drupal, straight HTML coded with Notepad, development tools such as Dreamweaver, or even print-based programs such as QuarkXPress, and ColdFusion are some tools used for website development. There are several methods that can be used to determine how a website was built. One method is with the free online tool, BuiltWith. By entering the URL of the target website, BuiltWith will produce a report that shows the website’s framework, server, email service, advertising, analytics JavaScript libraries, mobile, video, widgets, and more. Entering “Utica.edu” returns a report that shows that the site uses a ColdFusion framework. It shows that Utica.edu uses SWFobjects, a small JavaScript file used for embedding Adobe Flash content, as well. By viewing the detailed report, it is noted that Utica.edu first used ColdFusion in January 2011 and it has been in use for four years. BuiltWith also shows comparison and general usage of the selected tool. The report shows a decline n ColdFusion sites and that only 0.1% of the entire Internet is using ColdFusion (219,712 of 328,854,228). By comparison, viewing a report of a website (Macharyas.com), created with the more popular web tool, WordPress, shows an increase in use and 5% of the Internet using WordPress (16,380,242 of 328,854,228) (“UTICA.EDU Technology Profiler,” 2015). Another method of determining how a site was built is by examining the source code. Showing a site’s source code is a function of the browser. Apple OSX Firefox users can open a window showing the source code by entering command-U. By looking through the code, or by searching for a specific string, the framework can easily be determined. By searching through the source code of Utica.edu, the extension “.cfm” is found. This string containing “.cfm” is found: “<a id=”header_C00F8FD8-E9B7-9AAE-1157C5D8D369EF89” href=”/college/students.cfm” class=”showheader showheaderfocus”>Students</a>” is found in the source code of Utica.edu. Searching the code for all instances of “.cfm” returns 62 results. This is the extension used by ColdFusion (“.CFM File Extension,” 2011). 32 ebsites are built with a variety of tools. THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE InDesign M any publications, such as Selling Power, The American Spectator and Today’s Campus switched from QuarkXPress to InDesign in the early 2000s. InDesign hasn’t presented the forensic challenges that PDFs, Flash, ColdFusion and Photoshop have, but it is interesting to note that, even in this seemingly innocuous program, there is metadata embedded that can be analyzed. Editors and publishers can use this metadata to keep track of their employees’ work as the InDesign file is modified (Wheeler, 2008). Figure 24 shows the September 2013 cover of The American Spectator magazine Figure 24: Metadata derived from Adobe InDesign file. InDesign file. Viewing the metadata (“Adobe InDesign Component Information”) by holding down the command key and selecting “About InDesign,” it is clear that this document was originally created in July 2012 and modified several times. This could be an indication of another’s work being appropriated and modified and passed off as original work. This form of evidence would need to be corroborated with work orders, time clocks, emails, etc. Adobe software continues to expand and it becomes increasingly embedded in our lives much the same as Microsoft and Google have become. Many people just aren’t aware of it, though. People may have heard of Flash and PDF, and maybe know someone who uses Illustrator or InDesign, but Adobe reaches far and wide. Many people do not realize how often they used Adobe programs. Even people who use some Adobe products for their work, such as InDesign and Photoshop, may not realize that they use more Adobe products elsewhere, such as Flash, PDFs and ColdFusion and are exposed to the exploits inherent in those programs. The Adobe Marketing Cloud, and its 2011 acquisition of Nitobi’s PhoneGap (a framework that allows developers to create mobile applications using JavaScript, HTML5 and CSS3), make Adobe a huge, unseen force, from the desktop to the printed page, to the screen on the latest smartphone (Koetsier, 2015). CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 33 Future Research and Recommendations T of Adobe programs, systems, and corporate-customer relations and the threats that can be introduced into all those components. Adobe products are grouped into “suites.” Each suite is tailored to a specific purpose. As of this writing, Adobe suites consist of Adobe Marketing Cloud, Adobe Creative Suite, Adobe Creative Cloud, Adobe Technical Communication Suite, Adobe eLearning Suite, and Adobe’s discontinued, but still used, programs such as PageMaker, FreeHand, GoLive, Streamline and ImageReady (see Appendix B). Within these suites are the individual programs. For example, the Adobe Marketing Cloud contains Experience Manager, Adobe Analytics, Adobe Media Optimizer, Adobe Campaign, Adobe Target, and Adobe Social. All of these programs and modules can be used to introduce threats to consumers and are used for nefarious purposes that contain important forensic information that examiners can extract if they know how to parse the information (“List of Adobe software,” 2015). In October 2014, Adobe launched a suite of programs for use on mobile devices, beginning with Apple’s iOS. These “Capture” apps allow mobile device users to experience Adobe programs on phones and tablets. The worked performed on the devices are non-destructive, with the original versions retained in the Adobe Cloud. The results can then be integrated with desktop versions of Adobe software, such as Photoshop. The mobile apps are offered free of charge, but to use them an Adobe ID is required. As more people become Adobe users, the risk for exploits grows along with it. Adobe has suffered catastrophic breaches in the past with its desktop-based and Cloud storage systems and mobile device usage for the masses will only expand that threat. Writing for Forbes, Anthony Wing Kosner shares this scenario: his report covers a small portion Imagine (as I am sure Adobe is) that your nine-year-old who loves Instagram starts using one of the new Adobe apps. Her Adobe ID will become her portfolio and keepsake of her early creative development. As she hones her skills, it may also help her get into college or land her first job or freelance gig. (Kosner, 2014) In June 2015, Adobe expanded their mobile device collection further by introducing Creative Cloud mobile apps for Android devices through the Google Play app store. Formerly only available on Apple iOS, Android users can now use Color CC, Photoshop Mix, Brush CC and Shape CC. With the inclusion of Android devices, Adobe is now available on virtually any device worldwide, which has far-reaching consequences for exploits in the United States and abroad (Dove, 2015). Photoshop will play an increasingly larger role in the future as 3D printing grows in popularity. Adobe has added new 3D features to Photoshop and the future can only promise more. The newest version of Photoshop includes 34 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE 3D mesh simplification for processing and performance improvements, 3D bump maps for adding texture, and the ability to edit 3D color, which has been a problem due to incompatibility with vertex colors, which are contained in most 3D scans (Millsaps, 2015). Vertex colors, or “vcolor,” are RGB colors with an added alpha channel that can be applied to every vertex of a mesh. “Nerseus” explains on the IMVU 3D Social Network forum: With vertex colors, you can “paint” on your model, and it will influence the colors put on by the texture map. You could, for example, put one texture on two walls but have each get different shadows. Or you could model a lamp in the corner of your room and have it put “light” on the wall. (Nerseus, 2011) Photoshop is an essential tool for investigators to use in analyzing photographs. Even if the photos are of poor quality, a trained Photoshop user can enhance the image in numerous ways by sharpening details, reducing shadows, reducing blur or noise, or zooming, amongst others. Adobe software is more than just what Adobe “ships in the box.” Plug-ins extends the products and customizes them for each individual’s use. As industries increasingly use Adobe software for their purposes and hackers and criminals use the software for their criminal purposes, Adobe software will need to be examined forensically for many years. There are plug-ins available that can be added to Photoshop to increase its usefulness to forensic examiners. Existing and pre-development plug-ins and plug-ins are areas that will require future and sustained study. One such plug-in is ClearID. ClearID is a non-destructive plug-in and can be used to analyze stills and video. ClearID also hashes image automatically with a SHA-1 hash for verification. ClearID is part of the dTective suite of tools that can analyze many forms of image media (“ClearID Image Clarification for Adobe Photoshop,” 2015). The “Color Deconvolution” plug-in for Photoshop is used to recover erased text, simulate infrared photography and remove stains in photo restoration cases. The “Warping” plug-in can change the perspective of a scene. For example, an image of a parking lot taken from the vantage point of a truck can be altered to show the vantage point from higher up, such as from a drone. The “Fourier Transform” plug-in is useful for removing periodical patterns, such as halftone screens. When applied to an image of a fingerprint, the image can be enhanced when repeated pattern distortions are removed. The “Digitization” plug-in is valuable for document analysis. For example, a copied document can be examined and the Digitization plug-in can be used to create coordinates of specks on the image that can then be matched up to a suspected copier used for nefarious purposes. It can also be used to compare printer output to determine whether a suspected printer was used (“4N6site.com Forensic Photoshop Plug-ins,” n.d.). Photoshop is a useful tool for cyberbullies. Summer Bias, writing for AOL Digital Matters explains how Photoshop can be used as a tool of cyberbullying: CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 35 Thanks to mobile texting, blogs and social networking, the spread of information is so fast, easy and free that it makes the hallway gossip of yesteryear look downright archaic. Kids don’t have to wait for a story to pass from one person to another (to another) anymore. They can tell one story to a thousand people with one single click. And, instead of just whispering about who did what with whom, kids can now post photos or videos of the act—easily obtained with cell phone cameras and possibly manipulated with tools such as PhotoShop. (Bias, 2012) Parents can use Photoshop to “shame” their own children as well. Akron, Ohio mother, Denise Abbott did just that to her 13-year-old daughter Ava, for airing her gripes on Facebook. Abbott used Photoshop to post an image of Ava with a red “X” placed over her mouth with the following text: “I do not know how to keep my (mouth shut). I am no longer allowed on Facebook or my phone. Please ask why. My mom says I have to answer everyone that asks” (Hinduja, 2012). Criminals, forensic analysts, designers, photographers and regular people, trying to prove a point, use Photoshop. In many instances, it is obvious that there is criminal intent, but there are also many cases, such as the Abbott case, that Photoshop is used for personal retaliation, sometimes directed at family matters. A complete study of Photoshop’s uses, from criminal intent to personal gripes, cyberbullying, and shaming is an area worthy of additional study. Photoshop’s use can also Figure 25: Photoshop used to alter high school yearbook photo. have unintended consequences. With all the best of intentions, sometimes the use of Photoshop can be taken too far. An all-girl’s high school yearbook photo of Reddit user “love_a_good_ood” was altered to a degree that the student lashed out on social media (see Figure 25). Writing on Reddit, she posted: I have a round face that I have grown to love and now I get my photo back with a different face. The new photo no longer even looks like me but rather a prettier twin sister.” (Mastroeni, 2015) The psychological impact of Photoshop’s results would make for an interesting psychological abstract. Users of Photoshop will intentionally subvert an image for criminal intent but sometimes there are unintended consequences. The impact on society by Photoshop’s results is an area that can be studied further. Photoshop is so insidious that many people do not realize how it has been used throughout history to alter reality or manipulate perception, as well as to retaliate against one’s enemies. Adobe products are available for Windows and Apple OS and are cosnidered 36 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE the de facto programs for creating many forms of documents and creative communications. However, this does not mean that the results created from these products cannot be achieved by using other programs. There are several open source programs that work almost identically to Adobe programs. Open Office and Libre Office are open source programs that can be used in almost the same way as Microsoft Office, but without the cost. There are also open source tools are available that “mimic” Adobe products. GIMP is an open source alternative to Photoshop. Although it does not currently support Pantone colors and there is no formal training or certifications for GIMP users, GIMP is free. GIMP uses much less hard disk space and is compatible with Windows, Mac OS and Linux. GIMP can work with file formats such as JPG and PNG just as Photoshop can, but its native file extension is XCF as opposed to Photoshop’s PSD (Mikoluk, 2013). Scribus is an open source alternative to InDesign (or QuarkXPress). It performs similarly to InDesign and can be used to create material much in the same way. Although not in wide use for larger projects, Scribus is an acceptable option for smaller projects, such as brochures and menus. Scribus does feature the ability to export PDFs with animation and interactive features. Although users cannot import native InDesign or QuarkXPress files, Scribus does support importing Microsoft Publisher files. Scribus native files use SLA as the file extension, whereas InDesign uses INDD. Scribus runs on Windows, Mac OS and Linux, as well, and like GIMP, it’s free (Huang, 2013). Knowing about and learning how to use these open source tools is important for forensic examiners and law enforcement. When faced with a hard drive full of evidence, it may be easy to overlook a file with a name such as “badguy.xcf” and not realize that this is an image file that can be easily opened with GIMP. Or, when searching for an incriminating document and overlooking “ransomnote.sla” without realizing that the suspect was using Scribus for his criminal enterprise. It is also important to use these programs to try to open files that cannot be opened otherwise, such as using Scribus to open Microsoft Publisher files. In certain circumstances, a similar program can open a file type that the “go-to” program cannot. Learning these programs will enable examiners and law enforcement to make quicker and more logical decisions when faced with unusual files. Adobe’s large number of programs produce a large number of file extensions. Many of these would be unknown to a forensic examiner and many could have been produced by discontinued programs. Adobe’s discontinued website-building program, GoLive, produces a SITE extension (“File Extension .SITE Details,” n.d.). A complete list of Adobe file extensions, for supported and unsupported, programs and their resulting file extensions should be compiled for easy reference. CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 37 References 4N6site.com Forensic Photoshop Plug-ins. (n.d.). Retrieved from https://dl. dropboxusercontent.com/u/6795661/4N6site/main.htm Adobe – PageMaker Support Center. (n.d.). Retrieved from https://www.adobe.com/support/products/pagemaker.html Adobe products | Adobe. (2015, July 4). Retrieved from http://www.adobe. com/products/catalog.html Adobe Systems Inc - Early History: Warnock And Geschke. (n.d.). Retrieved from http://ecommerce.hostip.info/pages/4/Adobe-Systems-Inc-EARLY-HISTORY-WARNOCK-GESCHKE.html Anthony, S. (2013, May 13). Was the 2013 World Press Photo of the Year faked with Photoshop, or merely manipulated? Retrieved from http://www. extremetech.com/extreme/155617-how-the-2013-world-press-photo-ofthe-year-was-faked-with-photoshop Arogundade, B. (n.d.). Black History 1994: The O.J. Simpson Criminal Murder Case Trial - “Time” Cover Deliberately Darkened Mugshot. Retrieved from http://www.arogundade.com/oj-simpson-murder-trial-case-time-and-newsweek-magazine-cover-controversy-1994-oj-simpson-photo-manipulation.html Baron, C. (2008). Adobe Photoshop Forensics : Sleuths, Truths, and Fauxtography. Boston, Massachusetts: Thomson Course Technology. Retrieved from http://eds.b.ebscohost.com/ehost/ebookviewer/ebook/bmxlYmtfXzI2MzM2M19fQU41?sid=990b8d49-9676-46b4-90ab-6e07c81f6db5@ sessionmgr113&vid=0&format=EB&lpid=lp_vi&rid=0 Beeck, C., Matrosov, A., Paget, F., Peterson, E., Pradeep, A., Schmugar, C., … Wosotowsky, A. (2015). McAfee Labs Threats Report. Santa Clara, California: Intel Security. Retrieved from http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf Belcher, P. (2014, July 14). Glenn Beck’s The Blaze Site Serving Malicious Ads. Retrieved June 30, 2015, from http://www.invincea.com/2014/07/glennbecks-the-blaze-site-serving-malicious-ads/ Bias, S. (2012, July 31). Cyberbullying - Cliques Who Click. Retrieved from http://blog.lifestore.aol.com/2012/07/31/cyberbullying-cliques-who-click/ Brodkin, J. (2011, December 9). Chrome sandboxing makes it the most secure browser, vendor study claims. Retrievedfrom http://arstechnica.com/ business/news/2011/12/chrome-sandboxing-makes-it-the-most-securebrowser-vendor-study-claims.ars Campbell, C. (2015, May 12). 5/12/2015 - Release - Flash Player 17. Adobe Communities. Retrieved from https://forums.adobe.com/thread/1843037 .CFM File Extension. (2011, March 2). Retrieved from http://fileinfo.com/ extension/cfm ClearID Image Clarification for Adobe Photoshop. (2015, May 12). Re38 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE trieved from http://www.oceansystems.com/forensic/forensic-Photoshop-Plugins/index.php Conspiracy, D. (2011, May 31). Reply to Douglas Vogt. Retrieved from http:// www.obamaconspiracy.org/2011/05/reply-to-douglas-vogt/ Cova, M., Kapravelos, A., Fratantonio, Y., Kruegel, C., & Vigna, G. (n.d.). Wepawet [Browser]. The Regents of the University of California. Retrieved from http://wepawet.iseclab.org./ Crowsey, R. (n.d.). State v Swinton Sets New Guidelines for Computerized Evidence (p. 1). Hattiesburg, Mississippi: Crowsey, Inc. Retrieved from http:// www.crowsey.com/newsSub.php?news_id=2 Current PDF Threats. (2014, August 14). Retrieved from http://www.malwaretracker.com/pdfthreat.php Cybersecurity complacency a leading cause of data breaches. (2014, July 31). Retrieved from http://blog.trendmicro.com/cybersecurity-complacency-a-leading-cause-of-data-breaches/ Danchev, D. (2011, March 3). Report: malicious PDF files becoming the attack vector of choice. Retrieved from http://www.zdnet.com/article/report-malicious-pdf-files-becoming-the-attack-vector-of-choice/ Dillet, R. (2012, December 21). Adobe Acquired Portfolio Service Behance For More Than $150 Million In Cash And Stock. Retrieved from http://social. techcrunch.com/2012/12/21/adobe-acquired-portfolio-service-behancefor-more-than-150-million-in-cash-and-stock/ Discover new dimensions in digital imaging. (n.d.). Retrieved from http://www. rockymountaintraining.com/class_photoshop_forensics.php Discover the Creative Cloud 2015 experience. (2015, July 4). Retrieved from https://creative.adobe.com/plans Dove, J. (2015, June 16). Adobe launches its first Creative Cloud mobile apps on Android. Retrieved from http://thenextweb.com/apps/2015/06/15/ adobe-launches-its-first-creative-cloud-mobile-apps-on-android/ Ducklin, P. (2013, November 4). Anatomy of a password disaster - Adobe’s giant-sized cryptographic blunder. Retrieved from https://nakedsecurity. sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/ Du, M. (2013, November 5). Malicious PDF Analysis Evasion Techniques. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/ malicious-pdf-analysis-evasion-techniques/ Duncan, G. (2012, August 17). Adobe Flash for Android: Gone with barely a whimper. Retrieved from http://www.digitaltrends.com/mobile/adobeflash-for-android-gone-with-barely-a-whimper/ Fallon, K. (2012, November 27). Fooled by “The Onion”: 9 Most Embarrassing Fails. Retrieved from http://www.thedailybeast.com/articles/2012/09/29/ fooled-by-the-onion-8-most-embarrassing-fails.html Famous Photoshopped Fakes. (n.d.). Retrieved from http://www.foxnews.com/ photoessay/0,4644,6636,00.html/#/photoessay/image/0220091154_M_ CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 39 fakes_tourist_guy-jpg Farid, H. (2011, August 10). Image Authentication and Forensics | Fourandsix Technologies - Blog - Enhance – no, really. Retrieved from http://www. fourandsix.com/blog/2011/8/10/enhance-no-really.html FotoForensics. (n.d.). Hacker Factor. Retrieved from http://fotoforensics.com/ Gafford, R. (1958). The Operational Potential of Subliminal Perception. Retrieved from https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol2no2/pdf/v02i2a07p.pdf Gallagher, S. (2013, April 16). ColdFusion hack used to steal hosting provider’s customer data. Retrieved from http://arstechnica.com/security/2013/04/ coldfusion-hack-used-to-steal-hosting-providers-customer-data/ Gaza Burial, by Paul Hansen. (n.d.). Retrieved from http://www.worldpressphoto.org/collection/photo/2013/spot-news/paul-hansen Girard, D. (2014, January 14). How QuarkXPress became a mere afterthought in publishing. Retrieved from http://arstechnica.com/information-technology/2014/01/quarkxpress-the-demise-of-a-design-desk-darling/ Gitelman, L. (2014). Paper Knowledge: Toward a Media History of Documents. Duke University Press. Goodin, D. (2015, February 4). As Flash 0day exploits reach new level of meanness, what are users to do? Retrieved from http://arstechnica.com/ security/2015/02/as-flash-0day-exploits-reach-new-level-of-meannesswhat-are-users-to-do/ Greenberg, A. (2009, December 12). The Year’s Most-Hacked Software. Retrieved June 1, 2015, from http://www.forbes.com/2009/12/10/adobe-hackers-microsoft-technology-cio-network-software.html Guthrie, C., & Mitchell, B. (2007, September 26). THE SWINTON SIX: THE IMPACT OF STATE v. SWINTON ON THE AUTHENTICATION OF DIGITAL IMAGES. Stetson Law Review. Retrieved from http://www.stetson.edu/law/lawreview/media/the-swinton-six-the-impact-of-state-v-swinton-on-the-authentication-of-digital-images.pdf Harley, R. (n.d.). James Vicary: Experiment & Overview. Retrieved from http://study.com/academy/lesson/james-vicary-experiment-lesson-quiz. html Harshbarger, W. (2008, August 8). Fraudulent CNN emails contain links to Trojan. Retrieved from http://www.purdue.edu/SecurePurdue/ news/2008/Fraudulent-CNN-emails-contain-links-to-Trojan.cfm Hasidic Newspaper Photoshops Hillary Clinton Out Of Iconic Picture. (2011, May 9). Retrieved from http://www.huffingtonpost.com/2011/05/09/hillary-clinton-der-tzitung-removed-situation-room_n_859254.html Haugech. (2015, April 29). Forensic Scientist III/Quality Assurance Specialist–Latent Print Examiner Saint Paul Police Department Forensic Services Unit Position Profile. City of St. Paul, Minnesota. Retrieved from http:// www.stpaul.gov/DocumentCenter/View/78532 40 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE Higgins, K. (2013, October 7). Hacking The Adobe Breach. Retrieved from http://www.darkreading.com/attacks-breaches/hacking-the-adobebreach/240162362 Hinduja, S. (2012, May 1). Cyberbullying Your Own Kids to Punish Them. Retrieved from http://cyberbullying.us/cyberbullying-your-own-kids-topunish-them/ Hoerricks, J. (2008). Forensic Photoshop. Jim Hoerricks. Retrieved from http://www.blurb.com/b/196812-forensic-photoshop Hoffman, C. (2014, January 8). Why Browser Plug-Ins Are Going Away and What’s Replacing Them. Retrieved from http://www.howtogeek. com/179213/why-browser-plug-ins-are-going-away-and-whats-replacingthem/ Hughes, D. (n.d.). Adobe ColdFusion for the Web Developer. Retrieved from http://www.htmlgoodies.com/primers/database/article.php/3756161/ Adobe-ColdFusion-for-the-Web-Developer.htm Jackson, V. (2013, December 13). Mysterious Death Related to Obama’s Fake Birth Certificate. Retrieved from http://victoriajackson.com/10252/mysterious-death-related-obamas-fake-birth-certificate Key, W. (1974). Subliminal Seduction. Signet. Koetsier, J. (2014, March 25). Adobe turns marketing cloud up to 11 with massive update, SAP deal, new mobile tools. Retrieved from http://venturebeat.com/2014/03/25/adobe-turns-marketing-cloud-up-to-11-withmassive-update-sap-deal-new-mobile-tools/ Koetsier, J. (2015, January 28). How Adobe is embedding its marketing cloud into thousands of mobile apps—and soon more. Retrieved from http:// venturebeat.com/2015/01/28/how-adobe-is-embedding-its-marketingcloud-into-thousands-of-mobile-apps-and-soon-more/ Kosner, A. (2014, October 9). Adobe Launches Free Mobile Apps As Gateway To Creative Professions. Retrieved from http://www.forbes.com/sites/anthonykosner/2014/10/09/adobe-launches-free-mobile-apps-as-gatewayto-creative-professions/ Krawetz, N. (2009, November 2). Body By Victoria. Retrieved from http:// www.hackerfactor.com/blog/index.php?/archives/322-Body-By-Victoria. html Krebs, B. (2013, October 29). Adobe Breach Impacted At Least 38 Million Users—Krebs on Security. Retrieved from http://krebsonsecurity. com/2013/10/adobe-breach-impacted-at-least-38-million-users/ Krebs, B. (2014a, March 4). Thieves Jam Up Smucker’s, Card Processor. Retrieved from http://krebsonsecurity.com/2014/03/thieves-jam-up-smuckers-card-processor/ Krebs, B. (2014b, March 17). The Long Tail of ColdFusion Fail. Retrieved from http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/ Krebs, B. (2015, March 12). Adobe Flash Player — Krebs on Security. Retrieved from http://krebsonsecurity.com/tag/adobe-flash-player/ CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 41 Leurs, L. (2013, August 9). The History of PDF. Retrieved from http://www. prepressure.com/pdf/basics/history Levin, A. (2014, February 13). Why the Adobe Hack Scares Me—And Why It Should Scare You. Retrieved from http://www.huffingtonpost.com/adam-levin/why-the-adobe-hack-scares_b_4277064.html Lightstream. (2008, August 7). VIRUS WARNING—CNN top ten news stories serving up a trojan. Retrieved from http://freedomcrowsnest.wizardofthenorth.ca/viewtopic.php?f=1&t=73461 List of Adobe software. (2015, April 12). In Wikipedia, the free encyclopedia. Retrieved from https://en.wikipedia.org/w/index.php?title=List_of_Adobe_software&oldid=656098746 Macharyas, J. (2015, March 8). Forensics of Adobe Software. Retrieved from http://www.macharyas.com/2015/03/forensics-of-adobe-software/ Madrigal, A. C. (2012, April 3). Flash and the PDF: Computing’s Last Great and Now Endangered Monopolies. The Atlantic. Retrieved from http:// www.theatlantic.com/technology/archive/2012/04/flash-and-the-pdfcomputings-last-great-and-now-endangered-monopolies/255403/ Mostreni, T. (2015, January 12). Student Fires Back After Yearbook Company Completely Alters Her Face With Photoshop. Retrieved from http:// www.pixable.com/article/yearbook-company-high-school-photoshop-70805/?utm_medium=partner&utm_source=facebook&utm_campaign=pixsesocial&ts_pid=2 McGladrey LLP. (2011). A New PDF Standard (Case Study) (p. 4). Minneapolis, Minnesota. Retrieved from http://www.adobe.com/showcase/casestudies/mcgladreydyn/casestudy.pdf Meyer, G., & Massoudi, A. (2012, July 13). Wasendorf suicide note details fraud. Financial Times. Retrieved from http://www.ft.com/cms/s/0/ a4e46d74-cd16-11e1-92c1-00144feabdc0.html#axzz3dtpOyisl M, I. (2010, July). The Evolution of Adobe Flash: From 1996 to 2010. Retrieved from http://www.pxleyes.com/blog/2010/07/evolution-of-flashfrom-1996-to-2010/ Millsaps, B. (2015, April 17). Photoshop CC: Adobe Announces 3D Enhancements & Tools, Exemplified by 3D Printed Artworks of Veraart & Stewart. Retrieved from http://3dprint.com/59018/photoshop-3d-enhancements/ Mimiso, M. (2015, June 9). Adobe Patches 13 Vulnerabilities in Flash Player. Retrieved from https://threatpost.com/adobe-patches-13-vulnerabilities-in-flash-player/113222 Minnick, C., & Tittel, E. (2014, April 30). How Adobe Is Moving on From Flash to Embrace HTML5. Retrieved from http://www.cio.com/article/2376661/internet/how-adobe-is-moving-on-from-flash-to-embracehtml5.html Morra, S. (2013). Confirming the Integrity and Utility of Open Source Forensic Tools (UMI Number: 1549835) (pp. 32–33). Utica, New York: Utica College. Retrieved from http://search.proquest.com.ezproxy.utica.edu/ 42 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE pqdtlocal1008803/docview/1491381111/B0656A957BC345CAPQ/1?accountid=28902 Morrissey, M. (2011, October 24). Metadata: A Backdoor Into Multi-State Information Sharing & Analysis Center. Retrieved from https://msisac. cisecurity.org/resources/reports/documents/metadataadvisory.pdf Nerseus. (2011, February 6). IMVU—View topic—What is Vertex Colors and should I use it? Retrieved from http://www.imvu.com/catalog/modules. php?op=modload&name=phpbb2&file=viewtopic.php&t=363860 New Survey Shows U.S. Small Business Owners Not Concerned About Cybersecurity; Majority Have No Policies or Contingency Plans. (2012, October 15). Retrieved from http://www.symantec.com/about/news/release/article.jsp?prid=20121015_01 O’Gorman, G., & McDonald, G. (2012). The Elderwood Project. Mountain View, California. Retrieved from https://www.info-point-security.com/ sites/default/files/the-elderwood-project.pdf Omansky, J. (2015). Adobe Flash: Zero Day Vulnerabilities. Retrieved from https://youtu.be/N3_kBqTIc7M Özkan, S. (n.d.). Microsoft » Word: Vulnerability Statistics. Retrieved from http://www.cvedetails.com/product/529/Microsoft-Word.html?vendor_ id=26 Özkan, S. (2015, May 13). Adobe » Flash Player : Security Vulnerabilities. Retrieved from http://www.cvedetails.com/cve/CVE-2015-3093/ Photo Forensics: Detect Photoshop Manipulation with Error Level Analysis. (2013, October 25). Retrieved from http://resources.infosecinstitute.com/ error-level-analysis-detect-image-manipulation/ Pierini, D. (2015, February 25). Day in the Life mastermind on 25 years of Adobe Photoshop. Retrieved from http://www.cultofmac.com/313469/ day-life-series-mastermind-reflects-25-years-photoshop/ Perhiniak, M. (2012, April 11). How Do I Use Photoshop and InDesign Together?—Tuts+ Design & Illustration Tutorial. Retrieved from http://design. tutsplus.com/tutorials/how-do-i-use-photoshop-and-indesign-together-psd-16039 Poulsen, B. (2012, July 31). Being Amused by Apophenia. Retrieved from http://www.psychologytoday.com/blog/reality-play/201207/being-amused-apophenia Powell, B. (2011, December 21). Rep. Posey’s Interview With “Proud Birther” Victoria Jackson. Retrieved from http://politicalcorrection.org/ blog/201112210008 Rick. (2014, May 14). The Rise of Programmatic and the Death of Flash. Retrieved from http://current360.com/play/rise-programmatic-death-flash/ Saletan, W. (2010, May 24). The Ministry of Truth. Slate. Retrieved from http://www.slate.com/articles/health_and_science/the_memory_doctor/2010/05/the_ministry_of_truth.html Scan a paper document to PDF. (n.d.). Retrieved from http://help.adobe.com/ CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 43 en_US/acrobat/X/standard/using/WS58a04a822e3e50102bd61510979 4195ff-7f71.w.html Schonfeld, E. (2010, February 2). Adobe CTO Kevin Lynch Defends Flash, Warns HTML5 Will Throw The Web “Back To The Dark Ages Of Video.” Retrieved from http://social.techcrunch.com/2010/02/02/adobe-cto-kevin-lynch-defends-flash/ Security Updates Available for Adobe Flash Player. (2015, June 23). Adobe Systems, Incorporated. Retrieved from https://helpx.adobe.com/security/ products/flash-player/apsb15-14.html Segura, J. (2013, February 4). Digital certificates and malware: a dangerous mix. Retrievedfrom https://blog.malwarebytes.org/intelligence/2013/02/ digital-certificates-and-malware-a-dangerous-mix/ Shankland, S. (2012, May 11). Adobe launches Creative Cloud subscription service. Retrieved from http://www.cnet.com/news/adobe-launches-creative-cloud-subscription-service/ Shaw, R. (2013, November 20). Analyzing Malicious PDFs. Retrieved from http://resources.infosecinstitute.com/analyzing-malicious-pdf/ “SNL”s Victoria Jackson falls to incumbents. (2014, August 7). Retrieved from http://www.tennessean.com/story/news/politics/2014/08/07/snls-victoria-jackson-falls-incumbents/13755741/ Soltani, A., Canty, S., Mayo, Q., Thomas, L., & Hoofnagle, C. (2009). Flash Cookies and Privacy (p. 8). Berkeley, California: University of California, Berkeley. Retrieved from http://ssrn.stanford.edu/ delivery.php?=728119126066067064069124066003095022025 045004018028059126003126101120124112009116086101020 1111020450510440851000680990940911120530870470210618001021103105005074064023079083010125117078000105069&EXT=pdf&TYPE=2 StephenJ798. (2013, October 8). re: Hacking The Adobe Breach. InformationWeek Dark Reading. Comment. Retrieved from http://www.darkreading. com/attacks-breaches/hacking-the-adobe-breach/d/d-id/1140620? Stofer, M. (2015). Unlock PDF [Online]. Berlin, Germany: IM Material. Retrieved from http://smallpdf.com/unlock-pdf Story, D. (2000, February 18). From Darkroom to Desktop—How Photoshop Came to Light. Retrieved from http://www.storyphoto.com/multimedia/ multimedia_photoshop.html Swanson, A. (n.d.). Company Names as Verbs or Proprietary Eponyms: Do You Use These Brand Terms? Retrieved from http://www.qualitylogoproducts.com/blog/company-names-as-verbs-brand-terms/ SWF Player. (2014). (Version 2.0.0) [Android 2.2 and up]. BIT LABS LLC. Retrieved from https://play.google.com/store/apps/details?id=air.br.com. bitlabs.SWFPlayer&hl=en SWF to iPhone - How to Play Flash SWF on iPhone 5. (n.d.). Retrieved from http://www.jihosoft.com/flash-tutorials/swf-to-iphone.html 44 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE Tam, K. (2011, August 11). Photoshop Won’t Let You Work with Images of Currency? Retrieved from https://fstoppers.com/news/photoshop-wont-let-you-work-images-currency-7291 TinEye Reverse Image Search. (2015, July 3). Retrieved from https://www.tineye.com/ Trautman, E. (2014, April 19). RIP Flash: Why HTML5 Will Finally Take Over Video and Web in 2014. Retrieved May 25, 2015, from http://thenextweb. com/dd/2014/04/19/rip-flash-html5-will-take-video-web-year/ Trends. (n.d.). Retrieved from http://httparchive.org/trends. php?s=Top1000&minlabel=Jan+20+2011&maxlabel=May+15+2015 UTICA.EDU Technology Profiler on. (2015, June 28). Retrieved from http:// builtwith.com/utica.edu Van den Bergh, L. (2013, May 17). Adobe & Law Enforcement: Meet Sr. Solutions Architect John Penn II | PHOTOSHOP.COM BLOG. Retrieved from http://blogs.adobe.com/photoshopdotcom/2013/05/celebratinglaw-enforcement-week-with-adobes-john-penn-ii.html Veronica Blas Dahir. (n.d.). Retrieved from http://www.unr.edu/research-and-innovation/researcher-resources/veronica-dahir Vogt, D. (2011, May 22). News Release: Expanded Analysis of Obama’s Certificate of Live Birth - May 22, 2011. Retrieved from https://www.scribd. com/doc/55642721/News-Release-Legal-proof-that-President-Obamas-Certificate-of-Live-Birth-is-a-forgery Wheeler, C. (2008, July 23). InDesign Forensics: What Your Editor Knows about You. Retrieved from http://www.deke.com/content/indesign-forensics-what-your-editor-knows-about-you Yegulalp, S. (2014, February 7). Adobe Flash: Insecure, outdated, and here to stay. Retrieved from http://www.infoworld.com/article/2610420/adobe-flash/adobe-flash--insecure--outdated--and-here-to-stay.html Zhang, M. (2015, May 14). Real or Photoshop: How Well Can You Spot Fake Photos? Retrieved from http://petapixel.com/2015/05/14/real-or-photoshop-how-well-can-you-spot-fake-photos/ Zuckerman, E. (2013, January 29). Review: OpenPuff steganography tool hides confidential data in plain sight. Retrieved from http://www.pcworld.com/ article/2026357/review-openpuff-steganography-tool-hides-confidential-data-in-plain-sight.html CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 45 Appendices A dobe publishes a large number of programs and systems and has discon- tinued many others (“Discontinued products,” 2015). These lists illustrate the large body of tools that exploits can be introduced into, tools that can be used for forensic purposes and tools that can be used for benign and malicious intent (“Adobe products | Adobe,” 2015). Appendix A: Current/Supported Adobe products • Adobe Access • Acrobat Pro DC • Acrobat Reader DC • Acrobat Standard DC • After Effects CC • AIR • Analytics • Adobe Anywhere • Audition CC • Adobe Auditude • Authorware • Behance • Bridge • Campaign • Adobe Captivate • Adobe Connect •C entral Pro Output Server • ColdFusion •C oldFusion Enterprise Edition • ColdFusion Builder • Color Lava • Content Server • Contribute • CS Live • Creative Cloud • Creative Cloud for Enterprise •C reative Cloud for teams • Creative Portfolio • Creative Suite • Digital Editions •D igital Publishing Solution • Director • Distiller Server • Adobe Document Cloud •A dobe Document Cloud for enterprise • Dreamweaver CC • Drive 46 • Eazel • Edge Animate CC •E dge Code CC (Preview) • Edge Inspect CC •E dge Reflow CC (Preview) • Edge Web Fonts • eLearning Suite • Encore • Experience Manager • Export PDF • Adobe Extension Builder • Fireworks • Flash Builder •F lash Media Live Encoder •F lash Media Playback • Flash Player • Flash Professional CC •F lash Video Streaming Services • Flex • Fonts • Font Folio • FrameMaker •F rameMaker Publishing Server •F rameMaker XML Author •H TTP Dynamic Streaming • Ideas • Illustrator CC • InCopy CC • InDesign CC • InDesign Server • Ink & Slide • JRun • Kuler • Adobe LeanPrint • Lightroom • Lightroom mobile • Line •L iveCycle Enterprise Suite •A dobe Marketing Cloud • Media Encoder CC • Media Optimizer •A dobe Media Server on Amazon Web Services •A dobe Media Server Extended •A dobe Media Server Professional •A dobe Media Server Standard • Adobe Muse CC • Nav • OnLocation • Output Designer •O utput Pak for mySAP.com • Ovation • PageMaker • Pass • Adobe PDF Pack •A dobe PDF Print Engine • PhoneGap Build • Photoshop CC •P hotoshop Elements •P hotoshop Elements & Adobe Premiere Elements • Photoshop Mix • Photoshop.com • Adobe Playpanel • Adobe PostScript • Prelude CC •A dobe Premiere Elements •A dobe Premiere Express •A dobe Premiere Pro CC • Presenter • Publish • Revel • RoboHelp • RoboHelp Server • Adobe Scout CC • SearchCenter+ • Send & Track • Send for Signature • Shockwave Player • Sketch • Social • Soundbooth • SpeedGrade • Adobe Story Free • Adobe Story Plus • Target •T echnical Communication Suite • Typekit • Type products • Voice • Web Fonts • Adobe Web Hosting • Web Output Pak THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE Appendix B: Discontinued/Unsupported Adobe products \• Acrobat Elements •A crobat Elements Server • Acrobat Messenger • Adobe Acrobat Basic •A dobe Form Manager •A dobe Ideas for Android •A dobe Media Gateway • Adobe OnLocation • Adobe Stock Photos • Adobe Type Set • ATM Deluxe • Authorware • Collage • CS Live services • CS Review • Creative Mark • Debut • Design Collection • Dimensions •D reamweaver Server Extension •D S Community Edition • DV Rack • Flash Paper • Fontographer • FreeHand • GoLive • Graphics Server • Homesite Tool • InContext Editing • Kuler for Android • NetAverages • Ovation • PageMaker • PDF Scan • PhotoDeluxe • Photoshop Album • Adobe Premiere LE • PressReady •P roduction Studio Premium •P roduction Studio Standard • Proto • Rapid e-Learning Collection • RoboInfo • RoboPDF •S ecure Content Servers • Soundbooth • Streamline • Studio • Type on Call • Ultra • Video Collection Pro •V ideo Collection Standard • Vlog It! •V isual Communicator PageMaker is erroneously listed in the supported programs, however, support for PageMaker was discontinued on August 1, 2011. It also appears in the unsupported program list, which is correct (“Adobe - PageMaker Support Center,” n.d.) T Colophon his book was reproduced from a Capstone Project on The Malicious and Forensic Uses of Adobe Software, by Jeffrey P. Macharyas, for the Masters of Science Program in Cybersecurity and Computer Forensics at Utica College, Utica, New York. This report adheres to the American Psychological Association (APA) styles and was originally composed in Microsoft Word 2011, with Times New Roman, 12 point, double-spaced. This edition was created using Adobe InDesign CC 2015 for page layout, Adobe Photoshop CC 2015 for image production and Adobe Acrobat DC for the final PDF document. All work was performed on a 13” Apple MacBook Pro, late 2011 model, with operating system version 10.10.3 Yosemite. References and citations were compiled using the Zotero plug-in for Mozilla Firefox, version 40.0 (beta channel) and resources were searched for using Google. This edition was typeset using Chronicle Display, 11 point, with a leading of 13. Every attempt has been made to provide credit for all sources used in the production of this report. CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 47 About Jeffrey P. Macharyas Florida State University | Bachelor of Science in Communications and Visual Arts— Specialization in Advertising | 1983 Windows: XP-8.1, Linux: Ubuntu, Security Onion, VMware: 6-7 Online Operations: HTML, CSS, Google Analytics, Twitter Analytics, WordPress Miscellaneous Programs: Microsoft Office: Word, Excel, PowerPoint. Open Source: Scribus, Inkscape, GIMP. FTP, CRM Certifications: AccessData Certified Examiner, HubSpot Inbound Marketing, FEMA: Social Media, Nat’l. Infrastructure, Dale Carnegie Institute, Notary Public COMPUTER FORENSICS PROJECTS/RESEARCH PROFESSIONAL EXPERIENCE •C apstone Master’s Thesis: The Malicious and Forensic Uses of Adobe Software •O pen Source Intelligence: Collected data to develop profile of the subject using online and personal interview sources •C yberbullying: A unique look at the cyberbullying “industry.” To be included as part of an upcoming encyclopedia •L inux Forensic Tools: Various projects involving installing and operating computer forensic tools on Linux systems via the use of VMware and Virtual Box, to operate in a secure environment • Peer Mentor: Worked with Utica College Cybersecurity online students to understand course material and procedures via phone, Skype and Google Hangouts. Recommended to be selected as a teacher’s assistant at Utica College •G raphics: Redesigned The Moose, a style guide for APA-style compliance to be used by Utica College Production Manager/Designer Outdoor Sportsman Group 2013 – present Stuart, Florida EDUCATION Utica College | Master of Science in Cybersecurity—Specialization in Computer Forensics | 2015 Rutgers University | Mini-MBA Graduate Certificate—Social Media Marketing | 2012 PROFESSIONAL PROFILE Forensic Software: FTK, Wireshark, Internet Evidence Finder, PRTK, RegEdit, Bless Design Software: Adobe Creative Cloud: InDesign, Photoshop, Illustrator, Dreamweaver, Acrobat Pro, Edge Animate Operating Systems: Apple OSX: Yosemite, 48 Ensure that Florida Sportsman magazine, one of Outdoor Sportsman Group’s 15 titles, is produced correctly and on time. Manage advertising and production for 13 issues per year, as well as media kits, websites, print and web ads. Design and write interactive media kits and forms, advertisements, trade show material and book illustrations. Troubleshoot technical issues. Introduced an innovative “flipbook” concept for newsstand customers, requiring careful planning and diligent coordination with in-house staff and vendors to ensure all necessary specs and production protocols were met. Website design and developer for the Florida Fish & Wildlife Foundation (floridafishingcampaign.com). Creative Director/Writer Contractor 2003-2014 Remote Worked for a diverse set of clientele to produce publications, websites, books, ads, logos, and other marketing material. Applied knowledge of working in different media to produce proper files and maintain schedules and budgets. Selected projects: •D esigner for safeHands Hand Sanitizer. Designed packaging, bottles, social media and THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE website elements. 2012-2014. •W riter/Art Director for The Pineapple Post newspaper, designed, wrote, researched and edited monthly community newspaper for Ocala and Jensen Beach, Florida. 2012-2014. •A rt Director for The American Spectator Designed and produced monthly magazine. Redesigned the publication. Designed annual reports, prototype issues, direct mail and books. 2003-2007 & 2012-2014. •T elephone pole designer for AT&T, field assessments and AutoCAD engineering drawings. Best Quality Award. 2012-2013. •F irst Art Director for the USO’s OnPatrol magazine, a start-up publication for America’s armed service members and families. Designed brochures, one-sheets, books, challenge coins, and other marketing material. 2009-2012. Creative Director/Writer Today’s Campus magazine 2007 – 2010 West Palm Beach, Florida The Greentree Gazette was the magazine for college business offices. Improved the design and production of the publication and forged a closer relationship with the vendors. To better reflect the audience, re-branded the magazine to Today’s Campus. Designed the logo and redesigned the magazine to give it a more professional appearance. A second publication, Student Loan Buying Guide, was added in 2008. Designed and produced approximately 200 pages per month. • I nitiated and managed the company’s subscription qualification and renewal program, using coverwraps, that generated qualified subscriptions for the first time • Wrote and produced e-newsletters, email blasts and analyzed results, wrote articles for todayscampus.com •M anaged printers, editors, writers, and freelancers—reduced cost and improved turnaround time Production Manager Selling Power magazine 1997 – 2006 Fredericksburg, Virginia Selling Power magazine, a publication for sales professionals, grew from 72 pages per issue to more than 200. Managed the production, distribution and audio content of Selling Power Live—an audio version of the magazine, with circulation of 50,000. Transitioned the product from cassette to CD and created innovated CD inserts for inclusion in the magazine to bolster subscriptions. •C onverted file delivery from PostScript to PDF workflow, decreasing turnaround time and improving quality control •C onducted press, bindery and shipping checks at printing facilities for press runs of 260,000+ each month •D iscovered savings in mailing and shipping and developed innovative mailing and packaging methods by analyzing USPS regulations and meeting with postal officials •D esigned and analyzed subscription renewal efforts •S ingle-handedly created a reprints department—earning the company $60,000+ the first year •A udio Publisher’s Association’s Best New Audio for Selling Power Live—1998 NON-PROFIT/VOLUNTEER •D esigner/Seminar Speaker | Treasure Coast YMCA | Stuart, Florida | 2011-2015 •W ebsite Designer/Charter Member | Treasure Coast Fencing Academy | Port St. Lucie, Florida | 2008•Website Designer/Treasurer/Scout Leader/ Secretary/Unit Founder | Boy Scouts of America | Orange, Virginia & Port St. Lucie, Florida | 2000-2013 •W ebsite Designer/Board Member | Little League Baseball | Port St. Lucie, Florida | 2009-2010 •D esigner/Communications Committee Member | Lake of the Woods Association | Locust Grove, Virginia | 2005-2007 •W ebsite Designer/Teacher’s Helper | Orange Schools | Orange, Virginia | 2004-2007 | Volunteer of the Year-2006 [email protected] | www.Macharyas.com Pronounced: muh-sha’-riss CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 49 Do I think Photoshop is being used excessively? Yes. I saw Madonna’s Louis Vuitton ad and honestly, at first glance, I thought it was Gwen Stefani’s baby. I find, the fancier the fashion magazine is, the worse the Photoshop. It’s as if they are already so disgusted that a human has to be in the clothes, they can’t stop erasing human features. t i n a 50 f e y THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE A Capstone Project Submitted to the Faculty of Utica College • Utica, New York www.utica.edu August 2015 in Partial Fulfillment of the Requirements for the Degree of Master of Science in Cybersecurity This research examines how certain Adobe programs and files are manipulated for deceptive practices. The most common programs and file types examined are Flash, Photoshop, PDFs and ColdFusion. This research also includes examination of some lesser known, but popular, programs, such as InDesign and Illustrator. The research addreses the following problems and situations: • How are Adobe programs, primarily Flash, Photoshop, PDFs and ColdFusion used for forensics and criminal purposes? • What methods are used to manipulate files for the purposes of misleading people or altering perceptions? • What are some of the forensic signs of evidentiary tampering and how can authorities use this information to identify threats? B Y J E F F R E Y P. M A C H A R Y A S