The Malicious and Forensic Uses of Adobe Software

Transcription

The Malicious and Forensic Uses of Adobe Software
THE
MALICIOUS
AND
FORENSIC
USES OF
ADOBE SOFTWARE
B Y J E F F R E Y P. M A C H A R Y A S
THE MALICIOUS AND FORENSIC
USES OF ADOBE SOFTWARE
by
Jeffrey P. Macharyas
A Capstone Project Submitted to the Faculty of
Utica College
August 2015
in Partial Fulfillment of the Requirements for the Degree of
Master of Science in Cybersecurity
© Copyright 2015 by Jeffrey P. Macharyas
All Rights Reserved
Abstract
A
dobe systems, inc. publishes a large number of software applications, cloud
storage, analytic tools and marketing tools that are used worldwide. According to Adobe, 99% of computers have Flash installed and 90% have
Acrobat or Acrobat Reader (for viewing Adobe Portable Document Format files
[PDF]) installed. This is near universal use in the United States, but only 50% of
computers in China and 25% of computers in Russia have PDF readers installed
(Madrigal, 2012). In 2009, approximately 52.6% of targeted attacks used PDF
exploits, compared with 65% in 2010, an increase of 12.4% (Danchev, 2011). Vulnerabilities in PDFs jumped from 11 in 2008 to 39 in 2009 and increased to 68 in
2010, which was closely followed by 66 in 2013. According to Verisign, seven bugs
were reported in 2007 for Adobe Reader, 14 in 2008 and 45 in 2009.
Moreover, Flash threats continue apace and so does Adobe’s attempts to
patch them. Adobe released Flash Player 17.0.0.188 on May 12, 2015 (Linux version 11.2.202.460). In addition to some cosmetic fixes, Adobe included several security fixes, which were categorized as “critical.” Photoshop is used to conceal and
alter images and is also used to investigate images forensically. It has also become
a tool of cyberbullies. The use of technology, such as Photoshop, to doctor images
calls into question the believability of an image as a “document of social communication” (Pierini, 2015). In 2013, a breach was made possible by a vulnerability
in ColdFusion that Adobe claimed could “be exploited to impersonate an authenticated user” (Gallagher, 2013).
This research focused on the forensic value of some of the Adobe products
as well as the means by which criminals use these products. Keywords: Cybersecurity, Professor Christopher M. Riddell, Adobe, Photoshop, PDF, Adobe Flash,
ColdFusion, InDesign, Steganography.
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS iii
Acknowledgements
T
hank you to Professor Christopher M. Riddell for the advice and assistance
to make this report a success. A special shout-out goes to David Conway, my
co-worker and editor at Florida Sportsman magazine, who went far beyond
proofreading the words to asking pertinent questions and prodding me to fully explain the points I was making. Thank you Stanley Noneze. Stanley was my online
Cybersecurity classmate and has become a friend of mine. Stanley encouraged me
the entire way and kept me focused and tuned in to the cybersecurity world and I
will be his second reader in Fall 2015. Thank you to Professor Steven Wray Wood
for being my second reader all the way from Germany.
To my wife, Sheila, who pretended to listen to me when I would emerge from the
laundry room and exclaim: “Holy cow! Adobe just updated Flash again!” And to my
sons, Collin and Jack, who introduced me to Zotero, a browser plug-in for creating
citations and references, and for granting me access to his Indian River State College library account to access books I could not find online, respectively.
But, above all, I would like to especially dedicate this report to Kenneth J. “K.J.”
Moran, my brother-in-law, best man, co-worker, fencing instructor, positive influence, and my sister’s husband. K.J. passed away, at only 53 years old, on January 23,
2015. He will be sorely missed.
iv
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
Table of Contents
List of Illustrative Materials....................................................................................................vi
The Malicious and Forensic Uses of Adobe Software...................................................1
Flash.................................................................................................................................................2
Photoshop......................................................................................................................................5
Portable Document Format (PDF)......................................................................................6
ColdFusion....................................................................................................................................6
Literature Review...........................................................................................................................8
Flash.................................................................................................................................................8
Photoshop.....................................................................................................................................11
Portable Document Format (PDF)....................................................................................18
ColdFusion.................................................................................................................................20
Adobe Cloud................................................................................................................................21
Discussion of the Findings...................................................................................................... 23
Flash.............................................................................................................................................. 24
Photoshop....................................................................................................................................37
Portable Document Format (PDF)...................................................................................30
ColdFusion................................................................................................................................. 32
InDesign...................................................................................................................................... 33
Future Research and Recommendations........................................................................ 34
References....................................................................................................................................... 38
Appendices......................................................................................................................................46
Appendix A – Current/Supported Adobe Products...................................................46
Appendix B – Discontinued/Unsupported Adobe Products................................... 47
Colophon.......................................................................................................................................... 47
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS v
List of Illustrative Materials
Figure 1 – Poor Photoshop manipulation found in Victoria’s Secret catalog..............11
Figure 2 – Photo of Situation Room includes Hillary Clinton and Audrey Tomason..12
Figure 3 –Clinton and Tomason removed from image in Der Tzitung newspaper.......12
Figure 4 – Photoshop creation that looks realistic..............................................................13
Figure 5 – Time’s Photoshopped image compared to Newsweek’s original..............13
Figure 6 – Gilbey’s Gin advertisement showing suspected subliminal images.........14
Figure 7 – Satirical cover of Tiger Beat featuring President Obama............................14
Figure 8 – President Obama’s birth certificate.....................................................................16
Figure 9 – ColdFusion’s botnet control panel listing many entries for SecurePay.........21
Figure 10 – Error Level Analysis (ELA) shows image modification........................... 25
Figure 11 – Metadata from the Gaza photo uploaded to fotoforensics.com.............. 25
Figure 12 – Gaza mourners photo and ELA representation shows alterations....... 26
Figure 13 – Peter Guzil in New York—1997.......................................................................... 27
Figure 14 – Photoshop-enhanced image of rock formation appears to be a face.... 27
Figure 15 – Two-layer image created in Photoshop CC 2014........................................ 27
Figure 16 – Photoshop image saved as a PDF and opened in Adobe Acrobat Pro XI.. 28
Figure 17 – PDF, in Photoshop, retains the layers, which can be turned on and...... 28
Figure 18 – Acrobat’s Preflight does not show background image................................ 28
Figure 19 – Original PDF: Metadata: A Backdoor Into Organizations...................... 29
Figure 20 – Metadata of PDF viewed using Document Properties Acrobat Pro XI...30
Figure 21 – Wepawet analyzed PDF and reported it was clean......................................31
Figure 22 –Validly signed PDF and altered PDF, filtered through Photoshop.........31
Figure 23 – Metadata shows the PDF Producer for each document is different.....31
Figure 24 – Metadata derived from Adobe InDesign file................................................ 33
Figure 25 – Photoshop used to alter high school yearbook photo................................ 36
vi
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
The Malicious and Forensic Uses
of Adobe Software
C
yber threats are a pervasive problem in society and many people invite
them in without realizing that some of the commonly used computer programs and plug-ins are easy conduits for abuse. Flash, Photoshop, PDFs
and ColdFusion are some programs used by an unsuspecting society the programs and are developed by Adobe Systems, Inc. Society also does not realize
that criminals use these same programs to victimize them. According to Adobe,
99% of computers have Flash installed and 90% have Acrobat or Acrobat Reader (for viewing Adobe Portable Document Format files [PDF]) installed. This
number is near universal use in the United States, but only 50% of computers in
China and 25% of computers in Russia have PDF readers installed (Madrigal,
2012). Although the installation numbers of Adobe products are lower in some
countries, it is universally natural to share PDF documents via email or downloads, view websites containing Shockwave Flash (SWF) videos or animation,
or look at images that may have been altered with Photoshop. Adobe Flash and
PDFs are common vectors that expose victims to malware, deception and obfuscation without their knowledge.
The purpose of this research was to examine how certain Adobe programs
and files are manipulated for deceptive practices. The most common programs
and file types examined are Flash, Photoshop, PDFs and ColdFusion. This research also includes examination of some lesser known, but popular, programs,
such as InDesign and Illustrator. The research will address the following problems and situations:
• How are Adobe programs, primarily Flash, Photoshop, PDFs and ColdFusion used for forensics and criminal purposes?
• What methods are used to manipulate files for the purposes of misleading
people or altering perceptions?
• What are some of the forensic signs of evidentiary tampering and how can
authorities use this information to identify threats?
Some Adobe files, such as PDF (created from many different Adobe and
non-Adobe programs) and SWF (created with Flash), have been in use since the
1990s and are notorious for abuse. They can, however, provide a wealth of forensic evidence and authorities can use this information to identify threats and
track down the sources.
Adobe programs are typically used for benign purposes, but criminals have
been able to hijack the programs, and the files created by them, to serve their malicious needs. Conversely, forensics analysts and law enforcement are using the
Adobe programs to thwart the criminal threats. Since exploits via Adobe products are so pervasive, efforts need to be stepped up to be made to identify the
threats and for law enforcement and analysts to learn the proper use of the tools
to eradicate them. Symantec’s MessageLab released a report in 2011 that stated:
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 1
PDF files outpace the distribution of related malicious attachments
used in targeted attacks, and currently represent the attack vector of
choice, for malicious attackers compared to media, help files, HTMLs
and executable files. PDFs now account for a larger proportion of document file types used as attack vectors. aApproximately 52.6% of targeted
attacks used PDF exploits in 2009, compared to 65% in 2010, an increase of 12.4%. (Danchev, 2011)
Adobe has been a large target for criminals for many years. The mid-2000s
were especially bad years for Adobe. In the early part of the century, however,
Microsoft was a large target and it remained so for several years. According to
Verisign, seven bugs were reported in 2007 for Adobe Reader, 14 in 2008 and
45 in 2009. By comparison, bugs found in Microsoft products remained flat or
declined in the same period. Wolfgang Kandek, the chief technology officer of
Qualys said of Adobe Reader in 2009, “It’s a huge focus for attacks now, around
ten times more than Microsoft Office.” As a result of its complex code and its
ubiquitous nature, TippingPoint researcher, Padram Amini, says, “It’s a very
good playground for exploitation” (Greenberg, 2009).
Russell Wasendorf, Sr., the owner of Peregrine Financial Group in
Iowa, used Adobe software for exploitation and was sentenced to 50 years
in jail in 2012 for fraudulently reporting brokerage accounts of more than
$200,000,000, when they only amounted to $10,000,000. Wasendorf required that bank statements from US Bank be sent directly to him, unopened.
He would then use a combination of scanners, ink-jet printers, Microsoft Excel and Photoshop to create counterfeit statements before sending them to accounting (Meyer & Massoudi, 2012).
Flash
H
In 2008, a phishing scheme, perpetrated by hackers, compromised 1,000 websites that served up a fake
Flash Player. Users were duped into clicking a link in an email that purported
to be from the Cable News Network (CNN). The email pretended to show the
Top 10 News Stories of the day and alerted the user that their Flash Player
needed to be updated. This exploit was made more maddening to the victims
by the endless loop created when “cancel” was clicked and returned the user
to the first dialog box and then back and forth again with seemingly no way out
(Lightstream, 2008). Once executed, it would install a program named “Antivirus XP 2008.” The program was used to falsely claim that other viruses were
detected and that the user needed to buy the full version in order to remove
them. It would then install additional code that could be used for criminal intent as well (Harshbarger, 2008).
Flash presents serious privacy concerns. Most websites will enable cookies
to be downloaded to the user’s computer. Cookies are downloaded to the user’s
system to keep track of preferences, clicks, visits, etc. Flash also has the abili-
2
istory is replete with flash exploits.
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
ty to download its own form of cookies, which operate, and appear, similar to
HTML cookies. In fact, due to the similarity between Flash and website cookies,
it is possible to “backup” website cookies with Flash cookies after the user has
cleared their cookies from their source manually. Even with privacy set to block
cookies, visiting sites and watching videos will download and store Flash cookies. On Windows systems, these cookies are found in %APPDATA%\Macromedia\Flash Player\#SharedObjects (Hofman, 2014). Typical web cookies store
only 4kb of data, whereas Flash cookies, or “Local Shared Objects,” store 100kb
of data. Unlike web cookies, LSOs are not visible through the browsers’ cookie
manager (Brinkmann, 2007).
Companies claim that they do not collect personal data, only aggregated
data over time and that this data can then be used to create profiles. Several
class-action lawsuits have been filed alleging that Flash cookies were collecting
data against the claimants’ wishes. One claimant, Sandra Person Burns, of Jackson, Mississippi, states:
I thought that in all the instructions that I followed to purge my
system of cookies, I thought I had done that, and I discovered I had
not. My information is now being bartered like a product without my
knowledge or understanding. (Vega, 2010)
Part of the problem is simply the public’s lack of awareness that such a thing
exists. Emmy Huang, of Adobe, freely stated to the New York Times in 2009:
“It is accurate to say that the privacy settings people make with regards to their
browser activities are not immediately reflected in Flash Player” (Soltani, Canty,
Mayo, Thomas, & Hoofnagle, 2009).
Adobe Flash is a favorite vector of attack due to its wide use. This is compounded by the fact that many people are negligent in managing their patches
and upgrades, making Adobe Flash ripe for mayhem (Krebs, 2015). Flash’s demise has been predicted for some time, but still maintains popularity as a web
player. Even though YouTube is transitioning to HTML5, it uses Flash as a
fallback for video playback. Google Chrome will default to HTML5, but other
browsers, such as Firefox, will default to Flash (Yegulalp, 2014).
The number of websites that include Flash components have been declining
steadily. From January 2011 to May 2015, the top 1,000 sites’ inclusion of Flash
have fallen from 50% to 34% (“Trends,” n.d.). Due in large part to the burgeoning mobile market, Flash will see its numbers continue to dwindle as more and
more ads are converted from Flash to HTML5. Greater mobile device usage,
without Flash, will eventually drive it out of use (Trautman, 2014).
Flash usage on mobile devices is not increasing. On August 16, 2012, Adobe
removed Flash Player from Google Play for Android devices. Android was the
phone of choice over Apple’s iPhone, in part, because Flash was available for it.
Adobe offered updates until September 2013 and it was not available for Android version 4.1 (Jelly Bean) or newer because it would, according to Adobe,
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 3
“exhibit unpredictable behavior.” Apple’s primary objection to Flash was that it
was a mouse-and-point program and did not lend itself to the touch-and-drag
environment of mobile devices. Additionally, Flash is a drain on mobile device
batteries and did pose significant security risks (Duncan, 2012).
Another drawback of Flash is that its code is a “closed container,” which
makes it a dead end for Search Engine Optimization (SEO). When spiders and
bots index websites and encounter Flash objects, they’re viewed as empty boxes.
The Flash objects cannot be indexed and are useless for SEO (Rick, 2014).
HTML5, on the other hand, is coded more like a webpage with searchable
tags that can be embedded. Search engines can find and index these, making
it much more search-friendly, especially when searching for a particular bit of
content within a video (Trautman, 2014). Although Apple CEO Steve Jobs stated as far back as 2010 that Flash would be “no longer necessary,” it has been used
since 1996 and has been installed and continues to be used by millions of people
and it will continue to be a potential threat for years to come (M, 2010).
Flash threats continue at a quick pace and so does Adobe’s attempts to patch
them as they arise. Adobe released Flash Player 17.0.0.188 on May 12, 2015 (Linux version 11.2.202.460). In addition to some cosmetic fixes, Adobe included
several security fixes, which were categorized as “critical.” A “critical” rating
is: “A vulnerability, which, if exploited would allow malicious native-code to
execute, potentially without a user being aware” (Campbell, 2015). Moreover,
MITRE Corporation’s CVE Details website assigns this vulnerability its highest score of 10 because it can cause “Denial of Service Execute Code Overflow
Memory Corruption” (CVE-2015-3090) and has 472 (as of June 2015) vulnerabilities to its credit. 2015 is on track to be the worst year for Flash exploits,
trumping other years in the number of vulnerabilities with 94 so far. This number of exploits surpasses 2014’s record of 76, and, as of this writing, only half the
year is over (Özkan, 2015).
Adobe released another update to fix 13 new vulnerabilities on June 9, 2015.
Version 18.0.0.160 fixed bugs that were not publicly exploited. These vulnerabilities could expose users of Flash Player to remote attacks that could allow
hackers to access to the underlying system as well (Mimiso, 2015).
Two weeks later, on June 23, 2015, Adobe released another Flash update
to address security concerns. This exploit targets Internet Explorer running on
Windows 7 systems and below and older Firefox installations running on Windows XP. This update was version 18.0.0.194, released for Windows, Linux and
Macintosh users (“Security Updates Available for Adobe Flash Player,” 2015).
On July 14, 2015, Adobe discontinued inclusion of Flash in Acrobat XI
and Reader XI, with the release of version 11.0.12. Adobe’s Known Issues release explains:
Acrobat and Reader no longer include Flash Player. Flash Player is necessary for Acrobat and Reader to display SWF files and Portfolio content in PDFs. If your system doesn’t have Flash Player, and you want to
4
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
display SWF files and Portfolio content contained in PDFs, install Flash
Player. If you open a PDF that requires Flash, a dialog prompts you to
download and install the latest Flash player. (“Known issues,” 2015)
Photoshop
P
hotoshop, adobe’s popular photo-editing program,
has been in use since
the 1980s, when it was first developed in the basement of Ann Arbor,
Michigan college professor, Glenn Knoll. In February 1990, Photoshop 1.0
was launched and changed the digital image landscape forever (Story, 2000).
Photoshop is unique among Adobe programs, as it is a useful tool for criminals
as well as for forensic analysts and law enforcement agents who can use it to
track criminals and collect evidence. Photographic evidence is increasing in
volume and complexity with the explosion of low-cost digital cameras, tablets,
smartphones and other devices capable of containing a camera. This adds to
the complexity of authenticating evidence in law cases. Lucy Thomson, writing for SciTech Lawyer explains how this technological advancement can be
used for criminal intent and obfuscation:
Were the records altered, manipulated, or damaged after they were created? Changes to photographs and videos can be made using Photoshop
or graphic design programs, while hackers can alter websites, change
databases, and other electronic media. Often they cover their tracks by
changing audit log records. (Thomson, 2013)
Because of the ubiquity and complexity of digital fraud, trained analysts are
in demand. There are many resources available to train them in Photoshop’s forensic uses. The City of St. Paul, Minnesota posted a job opening for a Forensics
Analyst. This position required Photoshop skills and other forensic skills for the
Forensics Analyst position. The posting read, in part: “Utilizes Photoshop, Automated Fingerprint Identification Systems, lasers, cameras, analytical balances, and various chemical and physical latent print development techniques to
develop and compare latent prints (Haugech, 2015).” Adobe’s Senior Solutions
Architect, John Penn II explains Photoshop’s use in law enforcement:
Sometimes, the critical clues are locked away behind sensor noise,
poor lighting, blurry images or are in minute and hard to see details.
Photoshop is a powerful tool in the hands of trained law enforcement,
which can assist them in getting crucial information from digital media. (van den Bergh, 2013)
Photoshop can be used to conceal or alter images and can be used to investigate images forensically. Photoshop is easy to learn for altering and investigating
images. Fred Ritchin, founding director of the Documentary Photography and
Photojournalism Program at the International Center for Photography in New
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 5
York City, warned that the use of technology, such as Photoshop, to be used to
doctor images calls into question the believability of an image as a “document of
social communication” (Pierini, 2015).
Photographs are two-dimensional representations of a three-dimensional
world. When examiners analyze a 2D image, specialized skills are needed to
extract information that can only be seen from a 3D perspective. It is important that forensic analysts can convert a 2D depiction into a 3D perspective. For
example, a car is parked at the scene of a crime. The image is viewed from the
broadside of the car and shows the license plate, but the license plate cannot be
read clearly. Photoshop’s filters can be used to “rotate” the scene to make the
license plate readable. Photoshop has filters and plug-ins that allow examiners
to enhance 2D images to show enough 3D detail and obtain the information desired. Photoshop’s “Vanishing Point” filter, for example, can be used to enhance
2D images enough to extract 3D perspectives from it (Farid, 2011).
Portable Document Format (PDF)
P
as JPG images. It would be nearly impossible for
anyone not to encounter a PDF file n the regular course of using a computer.
Adobe founder John Warnock wrote about the promise of PDFs:
df files are as common
Imagine being able to send full text and graphics documents (newspapers, magazine articles, etc.) over electronic mail distribution networks.
These documents could be viewed on any machine and any selected document could be printed locally. This capability would truly change the
way information is managed. (Leurs, 2013)
Warnock’s comment was prescient. PDFs have changed the way information is managed. They have also increased methods and frequency of information that is mismanaged. PDFs are one of the most common vectors of remote
exploitation. Victims can easily be sent PDFs in socially engineered emails, links
to PDFs attached to websites, and drive-by exploitation by adding malicious
PDFs to victim-visited websites (“Current PDF Threats,” 2014).
Vulnerabilities in PDFs jumped from 11 in 2008 to 39 in 2009 and increased
to 68 in 2010, which was closely followed by 66 in 2013. For comparison, the
popular Microsoft Word had three in 2008, one in 2009, 16 in 2010 and 17 in
2013 (Özkan, n.d.).
ColdFusion
C
that is used for web development. It was
developed in 1995 but is still widely used today. ColdFusion’s appeal is
that it handles database management well and its coding language is familiar to web developers. ColdFusion allows developers to create large, enterprise-class applications. ColdFusion has been a target of hacks in the past. In
2013, a breach was made possible by a vulnerability in ColdFusion that Ado-
6
oldfusion is an adobe program
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
be claimed could “be exploited to impersonate an authenticated user.” One of
the hackers reported directly that Linode (a New Jersey-based virtual private
server provider), a victimized company, had been hacked weeks before the discovery. This leads to the question whether there were many more, undetected,
hacks (Gallagher, 2013).
Threats introduced through ColdFusion can have a negative effect on
many people. Large corporate sites are built with ColdFusion framework and
are used to collect personal data and financial information as a natural course
of their Internet e-commerce systems. From 2013 to 2014, a hacking gang
used Adobe ColdFusion vulnerabilities to build a botnet from e-commerce
sites that were used to extract and collect customer credit card data. Several
large companies were affected, including Smucker’s, SecurePay, and Minnesota-based Elightbulbs.com, which was notified of the breach from their credit card processor, Heartland Payment Systems, themselves a target of a large
breach in 2009 (Krebs, 2014b).
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 7
Literature Review
F
or more than 30 years, Adobe Systems, Incorporated, has been producing
software that is used by graphic designers, photographers, videographers,
sound editors, writers, architects, marketers, web developers and just about
every profession in the world. Former Xerox Palo Alto Research Center (PARC)
employees John Warnock and Charles Geschke founded Adobe Systems, Inc., in
1982. The pair worked at the graphics and imaging lab and developed a system
that renders type, lines and graphics on paper as it appears on a computer monitor.
Dissatisfied with Xerox’ lack of interest in their project, PostScript, they left the
company to create Adobe System which led to a revolution in electronic publishing and web development. (“Adobe Systems Inc - Early History,” n.d.).
Adobe increased the usefulness of PostScript by developing a system to distribute documents similar in fashion to a fax, but with higher quality. In 1991,
John Warnock released a proposal for “The Camelot Project” which was the
precursor of the PDF. The goal of the Camelot Project was to develop a method
to exchange visual communications between a wide variety of computers, operating systems and networks (Gitelman, 2014).
Adobe products have become so ubiquitous that propriety eponyms have
been derived from them: “Photoshop the image” to mean altering an image or
“PDF it and send it to me” meaning to create a PDF from any number of programs (Swanson, n.d.).
Flash
A
on society due to the
widespread use of the company’s products. Symantec’s director of security response operations, Jonathan Omansky, says in his YouTube video, Adobe
Flash: Zero Day Vulnerabilities:
dobe software vulnerabilities have a large impact
Flash, as we know, is one of the most widely installed software applications in the world on different browsers in both Windows and Macs. This
makes the number of exploitable software browser platform combinations significantly higher than other vulnerabilities. (Omansky, 2015)
Hackers make use of Flash’s SWF files as re-usable delivery systems. The
SWF file format is used to target the correct area of memory on the computer
and specifies the parameters for delivering the Trojans. Some of these attacks
used the name “Elderwood.” Using a common SWF file, the hackers can then
deploy a new trigger and the SWF guides the hack. These attacks can include
creation of email accounts, registration of domain names, information gathering, and stolen information analysis (O’Gorman & McDonald, 2012).
Flash exploits are so common and insidious that they are traded online
amongst hackers. For a subscription fee, hackers can buy a “weaponized exploit”
they can be plugged into websites of their choosing. In 2015, Flash was used to
8
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
deliver malware through advertising on popular websites, such as theblaze.com,
nydailynews.com and dailymotion.com. The attacks target Windows users using
Internet Explorer and Firefox. In the case of radio personality Glenn Beck’s #2
ranked political site, theblaze.com, malware was introduced via a Flash ad that
redirected victims to a Polish recipe site which then was used to redirect advertising revenue directly to the botnet’s author.
The use of advertising to introduce malware in this fashion is referred to as
“malvertising.” This particular exploit went by the names “kazy” and “kryptik”
(Belcher, 2014). The underlying threats are present in Mac and Linux versions
as well. Google Chrome offers added protection due to its embedded security
sandbox (Brodkin, 2011). Safari users can install the third-party plug-in, ClickToFlash, which prevents Flash from activating until authorized by the user to do
so. Enabling automatic updates for Flash will keep up with the bug fixes when
released (Cole, 2015). In July 2015, Alex Stamos, Facebook’s security chief,
asked Adobe to discontinue Flash once and for all. “It is time for Adobe to announce the end-of-life date for Flash,” Stamos tweeted.
Quickly following Stamos’ plea, Mark Schmidt, Mozilla’s support chief,
tweeted that Flash will no longer be turned on in all versions of Firefox. Firefox
users will now have to use another browser if they want Flash enabled. Schmidt
did leave the door open for a return of Flash to Firefox, by stating, “To be clear,
Flash is only blocked until Adobe releases a version which isn’t being actively
exploited by publicly known vulnerabilities” (Goldman, 2015).
System76, Colorado-based manufacturers of Ubuntu (Linux)-based desktop
and laptop computers, announced on its blog July 14, 2015, that they will no longer be shipping systems with Flash pre-installed. They also recommend that their
existing customers purge Flash from their systems by issuing the following via the
Command Line Interface: “sudo apt-get purge flashplugin-installer.” They cite
two reasons for doing this: First, Flash isn’t really needed to enjoy “the full web experience,” and secondly, “security, security, security.” They also recommend that
customers wanting to continue using Flash do so with Chrome (Derose, 2015).
Due to the rapid succession of Flash exploits and patches, a certain “Flash
fatigue” has set in. There is evidence that hackers may be using Flash exploits to
delivery crypto-ransomware as well. The threats have become so persistent that
the best course of action for the public may be to disable Flash altogether (Goodin, 2015). Between May and June 2015, Adobe had issued three new updates,
with two of them coming within two weeks of each other.
Even after all of Flash’s vulnerabilities and the late Steve Jobs’ decision to
exclude Flash from Apple’s mobile devices, Adobe defended its product and
railed against its alternative: HTML5. In 2010, Adobe’s chief technology officer,
Kevin Lynch, placed the blame on Apple’s obstinacy and predicted an early demise for HTML5. He wrote in his blog:
Adobe supports HTML and its evolution and we look forward to adding more capabilities to our software around HTML as it evolves. If
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 9
HTML could reliably do everything Flash does that would certainly
save us a lot of effort, but that does not appear to be coming to pass.
Even in the case of video, where Flash is enabling over 75% of video
on the Web today, the coming HTML video implementations cannot
agree on a common format across browsers, so users and content creators would be thrown back to the dark ages of video on the Web with
incompatibility issues. (Schonfeld, 2010)
Adobe has come to accept that HTML5 will eclipse Flash as the de facto
video player. Adobe has been addressing shortcomings in HTML5 to stay relevant in the mobile market. Adobe hosted worldwide “hackathons” to recruit
and train web developers to improve on HTML5. Adobe has added HTML5
capability of Flash Professional and has developed its own HTML5 rendering
program, Edge Animate. Edge Animate has a What-You-See-Is-What-YouGet (WYSIWYG) interface, support for audio, video, responsiveness, and
key-frames without the need for plug-ins. With 99% of desktop browsers using
Flash, Flash will be in use for some time, but Adobe has joined the HTML5
transition and has become one of its biggest supporters. With HTML5 “baked
into” browsers, users will no longer have to download a separate plug-in, and
as in the case with Flash, update it constantly to plug the frequent vulnerabilities that come with it (Minnick & Tittel, 2014).
Due in part to its long lifespan, Flash continues to be a carrier of threats. McAfee Labs, a division of Intel Security released a report in May 2015 that showed the
increasing threats due to Flash. In the first quarter of 2015, 42 new vulnerabilities
were found, up from 28 in Quarter 4 of 2014. This is the highest number of vulnerabilities reported in a Quarter for Flash. The report points out that the increase in
Flash vulnerabilities is due, in part, to “a steep increase in mobile devices that can
play SWF files (Beeck, Matrosov, Paget, Peterson, Pradeep, Schmugar, Simon,
Sommer, Sun, Surgihalli, Walter, Wosotowsky, 2015).”
Exploits will continue as long as consumers and corporations fail to agree
on standards of operation, update their software and systems, and learn about
the threats and how to mitigate them. Complacency is a contributing factor
that allows these exploits to continue. People take risks without taking simple
precautions to avoid damage to themselves and their property. Complacency is so entrenched that some security teams do not even know, nor care, if
they’ve been breached (“Cybersecurity complacency a leading cause,” 2014).
A 2012 study conducted by Symantec stated that 83% of US companies have
no formal cybersecurity plan (“New Survey Shows U.S. Small Business Owners Not Concerned,” 2012).
Although Flash, and plug-ins in generally, are being phased out, many
people will remain at risk due to their complacency and lack of knowledge
concerning upgrades. There are updates foisted upon the general computer
user constantly and many of these are ignored simply because people have no
idea what they are or how to run them. The large variety of operating systems,
10
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
versions, browsers, plug-ins, add-ons and extensions creates a dizzying array of computer maintenance demands. There are so many options available
that “calling the kid from down the street” to come fix a computer can be an
increasingly daunting task that can result in more damage that it fixes. Chris
Hoffman, writing for How-To Geek in 2014 explains it thus:
The Flash plug-in will be with us for a while longer, as it is still in such
wide use, but all other plug-ins are on the brink of irrelevance. Even
Flash is becoming less and less relevant thanks to mobile platforms
without Flash support. This is fine by most plug-in developers—Adobe has developed tools that export to HTML5 instead of Flash, Oracle
probably wants the extremely insecure Java plug-in to go away and stop
sullying their security record, and Microsoft is no longer interested in
pushing Silverlight as a competitor to Flash. (Hoffman, 2014)
Photoshop
T
he public can be oblivious as well as complacent. Figure 1 shows a manipulated photo from Victoria’s Secret
that was produced poorly. It is apparent
that the model is holding a handbag of
some sort in her right hand, but the digital
editor neglected to remove the straps. The
tile on the floor behind where the bag was
removed was also drawn back in poorly,
and does not match the rest of the floor.
Without having the original to compare it
to, the general public would not be able to
detect the alterations without closely examining the image or without having any
forensic abilities (Krawetz, 2009).
Alterations are more apparent if
there is an original image to use for comparison. During the raid on Osama bin
Laden’s compound in 2011, members of
President Barack Obama’s national se- Figure 1. Poor Photoshop manipulation found
in a Victoria’s Secret catalog.
curity team monitored the raid in real
time from the Situation Room in the White House. Present were Secretary
of State Hillary Clinton and Counterterrorism Director Audrey Tomason,
the only two women in the room (see Figure 2). The image was published in
newspapers and on websites worldwide with those two women clearly in the
scene. However, due to its Orthodox Jewish religious beliefs, the Brooklyn,
New York-based Hasidic newspaper, Der Tzitung, Photoshopped out the two
female officials from the image (see Figure 3). By altering the photo, the newspaper violated the terms of use issued by the White House that accompanied
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 11
the image on the photo-sharing site, Flickr. This was an example of Photoshop
being used to alter reality to make the image fit into a group’s strict constraints.
The newspaper defended its action in an email by stating:
In accord with our religious beliefs, we do not publish photos of women,
which in no way relegates them to a lower status... Because of laws of
modesty, we are not allowed to publish pictures of women, and we regret if this gives an impression of being disparaging to women, which is
certainly never our intention. We apologize if this was seen as offensive.
(“Hasidic Newspaper Photoshops Hillary Clinton,” 2011)
Technical skills and the software improvements have reached a point where
it becomes almost impossible for people to distinguish the frauds created from
reality. To illustrate this fact, Adobe published a tribute online to Photoshop by
displaying images, some of which
were real and others that were Photoshop creations. The website visitors were given the opportunity to
determine whether the image was
real or a Photoshop creation. It can
be difficult, or even impossible, to
determine whether a photo is real
or altered just by looking at it. Often,
the skills of the photo-manipulator
are good enough to create realisFigure 2. Secretary Clinton and Director Tomason
appear in the original photo.
tic alterations. These could include
techniques such as shadow realignment, foreground-background perspectives, color balances, and other
subtleties. These techniques are
difficult to detect by casual observation. Photos can be altered by adding elements from other photos or
by enlarging or reducing elements of
a photo to change perspective. Figure 4 shows an example of Adobe’s
Figure 3. Secretary Clinton and Director Tomason
Photoshopped images in which a
removed from the image used in Der Tzitung.
raw steak has been enlarged to create the illusion that the girl is about to eat an enormous slab of uncooked meat
(Zhang, 2015).
Manipulated images were thought to be an effective method to sell products
through subliminal messages. “Subliminal Advertising” was a term developed
by researcher James McDonald Vicary. He conducted experiments that purported to prove that movie theatres that flashed messages such as “eat popcorn”
12
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
or “drink Coca-Cola” would increase
sales of their products. The results were
astounding and led the Federal Communications Commission to ban “subliminal advertising” in 1974.
The Central Intelligence Agency
(CIA) was prompted by the “results” to
write The Operational Potential of Subliminal Perception and to write their own
plans to use subliminal messaging. When
confronted with the results and asked to
support them, Vicary admitted that he falsified the data. “Subliminal advertising,” if
it existed or not, had no effect on buyers Figure 4. Photoshop creation that looks realistic.
(Harley, n.d.). The CIA report states its
perception of subliminal messaging:
The desire here is not to keep him unaware of what he is doing, but rather
to keep him unaware of why he is doing it, by masking the external cue or
message with subliminal presentation and so stimulating an unrecognized motive. (Gafford, 1958)
On June 27, 1994, Time and Newsweek ran O.J. Simpson’s mug shot on their
respective covers (see Figure 5). Newsweek ran the photo as submitted. Time,
however, used Photoshop to alter the image to make Simpson
appear darker, and thus, more
sinister. The graphic designer
was instructed to make the image
more “artful and compelling.”
Time’s managing editor, James
R. Gaines, regretted altering the
photo after the backlash and the
newsstand version of the magaFigure 5. Time’s Photoshopped image compared to
zine was pulled from shelves and
Newsweek’s original.
replaced with the unaltered version of Simpson’s mug shot. The subscriber version was mailed to subscribers
with the darker image, making those copies collector’s items (Arogundade, n.d.).
Wilson Bryan Key built upon Vicary’s suppositions in his 1974 book on the
subject of image manipulation, Subliminal Seduction. Key purported to see images embedded in marketing and advertising that were of a sexual, violent or occult nature. Key’s opinion was that these images were placed there on purpose.
Many people were convinced that Key was correct but there many who were not.
Key presented a lecture on subliminal advertising at Florida State University
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 13
in 1982. He failed to convince many in the audience with his evidence that led some to walk
out. One of Key’s examples was a 1971 advertisement for Gilbey’s Gin (see Figure 6). The
ice cubes in the glass are arranged so that the
letters “S-E-X” are seemingly formed from the
cubes. Key further describes the scene:
Figure 6. Gilbey’s Gin ad showing suspected subliminal images.
The melting ice on the bottle cap could
symbolize seminal fluid—the origin of life.
The green color suggests peace and tranquility after tension has been released. The
modus operandi of the ad is to sell Gilbey’s
through a subliminal appeal to latent voyeuristic or exhibitionistic tendencies within the unconscious minds of readers. The
Gilbey’s orgy has also appeared on covers
of several other national publications.”
(Key, 1974, pp. 5-7)
The technology has advanced a great deal since the 1970s. With cheaper,
personal computers and computer programs such as Photoshop, manipulating
images is much easier. Although people should now be more aware of how easily they can be fooled by manipulated
images, the manipulators get away
with it quite often. False images, just
like false news stories from satirical
sites such as The Onion, have made
fools of people from world leaders
and news organizations down to the
common citizen. The New York Times
was fooled when they accepted an altered, satirical Tiger Beat magazine
cover featuring President Obama,
alongside the Jonas Brothers and Vanessa Hudgens (see Figure 7), in what
The Onion claimed, was an appeal to
tween voters (who are not old enough
to vote). The New York Times ran
a “real” article on it (Fallon, 2012).
Slate conducted an experiment in
which they altered four images, took
one out of context and mixed them Figure 7. Satirical cover of Tiger Beat featuring
with real images to see how the im- President Obama.
14
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
ages affected people’s memories. One image showed President Obama shaking
hands with Iranian President Mahmoud Ahmadinejad. The event never took
place, but 26% of the respondents reported that they remember it when it happened (Saletan, 2010).
Cynthia Baron, author of Adobe Photoshop Forensics, explains in her book’s
introduction how easily society is duped:
Although we are now more visually literate and skeptical about “photographic evidence” than our parents or grandparents, we can still be
taken in by a good fake, especially if it’s a fake we want to believe. Perpetrators take advantage of that all-too-human weakness and wreak much
damage before their trick is discovered. (Baron, 2008, p. xiii)
One of the most malicious and common uses of Photoshop is counterfeiting. Photoshop is an ideal tool to use to create or enhance images of banknotes,
identity cards, government forms, legal forms, historical records and other
sensitive material that had been scanned or created digitally. Forensic examiners, with proper tools and training, can detect these types of frauds just as
they did in the Wasendorf case. Adobe, at the behest of the government, added
algorithms to Photoshop, from version CS2 and up, that can detect banknotes.
It displays a dialog box that warns the user “this application does not support
the printing of banknote images.” However, there are workarounds that can be
employed. The user can first open the scanned image in Adobe’s discontinued
image editor, ImageReady, and then import the file into Photoshop. The detection of banknotes is based on an imprint known as the EURion constellation
(or Omron rings). EURion is a pattern of symbols, such as yellow dots, that are
incorporated into banknotes to thwart counterfeiting efforts, via scanning and
Photoshop (Tam, 2011).
In 2011, Photoshop “evidence” was used in an attempt to bring down a sitting president. Douglas Vogt, an expert on scanners and image manipulating
software, claimed that President Obama’s long-form birth certificate was a forgery created with Photoshop and was not an official document proving his “natural birth” in Hawaii. His evidence included “curved type” that “proved” that
information was superimposed onto another document with image-manipulating software (see Figure 8). In his May 22, 2011 criminal complaint, Expanded
Analysis of President Obama’s Certificate of Live Birth, Vogt claims:
I have irrefutably proven that the Certificate of Live Birth that President
Obama presented to the world on April 27, 2011 is a fraudulently created
document put together using the Adobe Photoshop or Illustrator programs and the creation of this forgery of a public document constitutes a
class B felony in Hawaii and multiple violations under U.S. Code section
Title 18, Part 1, Chapter 47, Sec.1028, and therefore an impeachable offense. (Vogt, 2011)
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 15
In his complaint, Vogt specifies
many examples of fraud and manipulation that support his claim. Focusing on the imaging forensics aspects of his claim, Vogt says that the
Certificate of Live Birth (COLB)
contains both binary (black-andwhite) and gray-scale images in the
PDF that was presented by President Obama as proof of his “natural
birth.” His assertion is that when
documents are scanned, they are
scanned as either binary (for text)
or gray-scale (for images), but that
this one contained both, which is
“impossible.” He goes on to claim
that the image contained straight
and curved type, indicating that the Figure 8. President Obama’s birth certificate.
original was scanned while it was
still attached to a binder, which caused the paper to bend. The claim that the
image was manipulated with Photoshop or Illustrator is easily refuted. Viewing
the metadata of the PDF that the White House released, it showed that the PDF
creator was “Mac OS X 10.6.7 PDFContext.” This would indicate that the PDF
creator was anything but an Adobe product. Moreover, Adobe writes object IDs
in numerical order but this PDF document was created with prefix and postfix
numbering (Conspiracy, 2011).
PDFs can contain a variety of images. Vogt’s assertion that the PDF cannot
contain both binary and gray-scale images is refuted by the very nature of how
PDFs use “adaptive compression” or “adaptive optimization.” Adobe’s help
page on scanning paper documents, using a scanner and Photoshop to create
PDFs states:
Apply Adaptive Compression: Divides each page into black-and-white,
gray-scale, and color regions and chooses a representation that preserves appearance while highly compressing each type of content. The
recommended scanning resolutions are 300 dots per inch (dpi) for grayscale and RGB input, or 600 dpi for black-and-white input. (“Scan a
paper document to PDF,” n.d.)
Vogt’s claims against President Obama led to a cottage industry of what
became known as “the Birther Movement.” The movement claims many wellknown celebrities and high-ranking politicians, including real estate mogul
and 2016 Republican presidential candidate Donald Trump, Maricopa County, Arizona Sheriff Joe Arpaio, former Saturday Night Live comedian Victo16
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
ria Jackson, former Colorado Congressman and gubernatorial candidate Bob
Beauprez and many others. The movement has its own website, birtherreport.
com, as well as some spin-offs, and continues to claim that President Obama
is not qualified to be President of the United States because of the “fake” birth
certificate and for other reasons.
The movement is extreme in its views and claims that acts of violence have
been committed that help to advance its views of how malicious this perceived
fraud has escalated. Victoria Jackson writes in her blog that the death of Hawaii
Health Director Loretta Fuddy was related to Obama’s “fake” birth certificate
and that she was killed as part of the larger “conspiracy” (Jackson, 2013).
The Birthers believe President Obama was born in Kenya and raised as a
Muslim. A posting by Jackson on the “evils” of Islam had this response from
her fan “ThomasThePaine”: “We need to start killing Muslimes on sight!”
What makes Jackson even more dangerous (in addition to her popularity as a
media star) is that she seeks political power. In 2014, she lost her bid for a seat
on the Williamson County (Tennessee) Commission. Along with Beauprez,
(who lost his bid for Colorado governor to incumbent John Hickenlooper) this
would have added two more birthers to the ranks of government (“‘SNL’s Victoria Jackson falls to incumbents,” 2014).
However, Jackson does have a like-minded friend in Congress: Representative Bill Posey (R-FL). Representative Posey introduced HR 1503 in 2009,
a failed attempt at a “Birther Bill” requiring presidential candidates to supply birth certificates, and any other “necessary” documentation upon filing to
run. Jackson conducted an interview with Posey, who supported her claims
about the Photoshopped birth certificate. Jackson was inspired by Posey and
claimed that President Obama’s birth certificate was “the fakest birth certificate” she’s ever seen. The law would have become effective in 2012, the year of
Obama’s re-election (Powell, 2011).
The use of Photoshop has called into question legal precedents. In March
2001, Alfred Swinton was found guilty of the 1991 murder of Carla Terry, in
Hartford, Connecticut. Terry’s body was found in a snow bank, partially clad
and wrapped in a garbage bag. Examiners found what appeared to be teeth bite
marks on her breast. During his trial, the defense argued that the Photoshop evidence presented was “altered” and that the technology’s veracity needed to be
established. New rules, based upon the American Oil v. Valenti case, that adopted rules of federal procedure to establish foundation, adjudicated years earlier,
led to the Swinton Six characteristics (Crowsey, n.d.).
The Swinton Six characteristics, as defined by the Connecticut Supreme
Court, are:
1. The computer equipment is accepted in the field as standard and competent and was in good working order
2. Qualified computer operators were employed
3. Proper procedures were followed in connection with the input and output
of information
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 17
4.A reliable software program was utilized
5. The equipment was programmed and operated correctly
6. The exhibit is properly identified as the output in question (Hoerricks, n.d.)
The admission of digitally “enhanced” images has been brought into question in courts of law. For any digital evidence to be deemed worthy, the qualifications and competency of the digital technician must be beyond reproach.
Moreover, the prosecutor and defense attorney must have a high enough level
of expertise to evaluate and present the evidence. In 1994, digitally enhanced
evidence was presented to the court in the case of The United States vs. Mosley.
Maurice Mosley was charged with six counts of bank robbery. An FBI agent testified that he took a still image from the video surveillance tape that recorded
Mosley committing the crime and enhanced it. The agent was then able to detect
a mark on Mosley’s face that matched a mark on his booking photo (Hak, 2003).
Mosley was convicted of bank robbery and appealed his conviction. In his
appeal, Mosley asserted that the government erred in allowing FBI Agent Douglas Goodin’s enhanced photographic evidence. In a Memorandum, the Ninth
Circuit Court ruled:
Goodin, an agent with the Federal Bureau of Investigation, testified that
he had subjected a bank photo of the robbery to digital imaging processing, a procedure that sharpens pictures. He informed the jury that, after
sharpening the photo, he was able to detect a mark on the face of the robber. He then compared this mark with a mark on Mosley’s face, which
was visible in an arrest “booking” photograph, and described their similarities. The district court reasonably concluded that this testimony
would assist the jury. (Appeals & Circuit, 1994)
Photoshop is also a useful tool for law enforcement when examining photographic evidence of a crime scene. Photoshop’s “Vanishing Point” filter can
be used to “rotate” a scene to make objects that are skewed become clearer.
Photographs are two-dimensional facsimiles of reality. It is not possible to
“look around the corner” in a photograph, but it is possible to use Photoshop
to achieve similar results. By using a combination of filters and commands, the
examiner can select an object, such as a license plate or a billboard, apply the
Vanishing Point filter and “rotate” the object into view to make the information on it readable. It may not be possible to achieve this if there is not enough
information to begin with. Contrary to depictions on television, it is unlikely
that a reflection in a pair of glasses will yield enough pixels to “reassemble” the
object in question (Farid, 2011).
Portable Document Format (PDF)
M
alware in pdf files has become pervasive. With ease of creating, disseminating and opening PDFs, this document format is ripe for exploitation.
It is very common for a person to receive PDF files via email, sometimes from
18
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
known sources and sometimes from seemingly innocuous sources. A mass email
with a malware-infected PDF can be sent to thousands of people in seconds,
with the effects not always realized once the PDF is opened. In the last few years,
PDF attacks have doubled year-after-year (Shaw, 2013).
Malware is commonly introduced into PDFs by JavaScript actions.
These actions are launched when the PDF is opened or printed. There are
many tools available to analyze PDFs, both online and offline (Du, 2013).
PDFiD is one such open source tool for malware analysis and forensic examination. PDFiD examines PDFs to find instances of suspicious strings,
even if the strings are obfuscated. PDFiD reduces large sets of PDF files into
manageable sets, and separates the benign PDFs from the malicious ones.
PDFiD can detect what a PDF file is capable of executing. Moreover, a tool
such as Didier Stevens’ PDFparser can be used to see what tool actually executes (Morra, 2013).
For forensics analysts and law enforcement, there are several methods available to analyze PDFs for either malicious code or for intelligence gathering. The
metadata stored within a PDF can provide some basic clues as to the creation
and modification dates, the originating program, and sometimes the creator’s
name. Additional metadata can also be found if the user entered the information
manually, such as description, writer, keywords, etc.
Non-professionals and casual users of PDFs can benefit from open
source tools to work with PDFs. PDFs can have varying levels of security
added. A user can password-protect a PDF and deny the recipient taking actions except viewing it. Printing, copying and editing are prohibited without the correct password. The user who protected the document can benefit from open source tools as well. An old PDF is retrieved with password
protection, but the user has forgotten the password. In Acrobat’s Document
Properties dialogue, the security settings can be reviewed. Here, it lists the
settings, such as “password security” and the functions that are forbidden. It
reports the encryption level, such as 128-bit RC4. A PDF of this type can be
uploaded to the browser-based tool, Unlock PDF, which strips the password
from the PDF and returns it to the user. The PDF can now be manipulated of
the user’s choosing (Stofer, 2015).
McGladrey LLP, an accounting firm with more than 8,000 employees based
in Minneapolis, Minnesota, has streamlined their document workflow to focus
on Adobe Acrobat PDFs. Matt Corcoran, McGladrey’s desktop manager, describes the challenges and complexity of their document management routine:
We are very geographically dispersed—and, as part of our entrepreneurial culture, users here are free to purchase or download tools in addition
to our standard software image to meet their needs. To support our substantial use of PDF, our accounting professionals had acquired a mix of
many different versions of Adobe Acrobat software, as well as other PDF
applications. (McGladrey LLP, 2011)
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 19
ColdFusion
C
oldfusion is an adobe program that is used for web development. It was de-
veloped in 1995 but is still widely used today. ColdFusion’s appeal is that it
handles database management well and its coding language is familiar to web
developers. ColdFusion allows developers to create large, enterprise-class applications and is used frequently by large corporations, government agencies
and other institutions that maintain large databases that integrate with the
Internet. ColdFusion is adaptable and can “talk” to other applications, such as
.NET, Java classes, and legacy connectivity such as COM and CORBA. ColdFusion is a useful tool for creating forms. Forms can be coded just like in any other
web development tool, but ColdFusion offers added validation options without
adding unnecessary complexity (Hughes, n.d.).
ColdFusion is a target for hacks. In 2013, a breach was made possible by a
vulnerability in ColdFusion that Adobe claimed could “be exploited to impersonate an authenticated user.” One of the hackers reported directly that Linode
(a New Jersey-based virtual private server provider), the company victimized,
had been hacked weeks before the discovery. This could be an indication that
there were more hacks that went undetected. The element that was attacked is
“cflogin,” its user authentication component. With this exploit, hackers were
able to access Linode’s server and source code. In response, Linode issued a
statement in a blog post:
No evidence decrypted credit card numbers were obtained and the encryption key for credit card data was not stored on the server and was not
guessable, sufficiently long and complex, not based on dictionary words,
and not stored anywhere but in our heads. (Gallagher, 2013)
The ColdFusion breach of 2013-2014 that affected Smucker’s and SecurePay acted similarly to that of the ZeuS virus. It would siphon information by
slurping up passwords stored in the victim’s browser cache and conduct “form
grabbing,” which is intercepting data entered into a form field before it has been
encrypted and sent across the Internet to its destination. As victims were going
through the online checkout process at Smucker’s, the virus would collect names,
addresses, phone numbers, credit card numbers and verification codes (CVV).
This virus confirmed an important aspect of Web security, in that no transaction
is secure if only one end is compromised. This same group is believed responsible for its attack on ColdFusion’s own publisher, Adobe Systems, Inc.
The control panel of the botnet includes the names of many companies.
Some of them were reported infected in August 2013 and were still active up to,
at least, March 2014, according to Brian Krebs. The botnet did infect at least one
company that was driven out of business: TechnoCash.com.au. TechnoCash was
also involved in an online drug bazaar on SilkRoad and under indictments from
the United States Department of Justice.
Georgia-based SecurePay, whose assets were acquired from Pipeline Data
20
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
Figure 9. The ColdFusion’s botnet control panel listing many entries for SecurePay.
by Calpiancommerce.com, was heavily represented in the botnet’s control panel
(see Figure 9). Pipeline’s New York data center had been running an outdated
version of ColdFusion. When asked about the breach by Brian Krebs, CEO Tom
Tesmer responded by saying, “We’re not aware of compromised cards.” When
Krebs presented him with 5,000 records showing what the hackers stole, Tesmer confirmed the attacked and responded:
That warning showed up while the system was not under our control, but
under the control of the folks up in New York. We fired that alert over to
the network guys up there and they said they were going to block that IP
address, and that was the last we heard of that. (Krebs, 2014a)
Adobe Cloud
I
2012, Adobe launched the Adobe Creative Cloud. This move transitioned
Adobe from selling perpetual licenses for boxed software to offering their programs on a subscription basis. Users pay a monthly fee, based on whether the
user is a student, or a business, or some other specific entity. Subscription fees
are priced from $10/month for individual use of Photoshop up to $80/month for
the complete Creative Cloud set which includes Adobe Stock Photos (“Discover
the Creative Cloud,” 2015). With the subscription, users can sign in to their Adobe account online and download almost all the Adobe programs they want. In
the past, a user would, for example, purchase InDesign in a box and then Photoshop, Illustrator, etc. Adobe also offered different software collections for print
designers, web designers, etc. With the subscription, a typical print designer using InDesign can experiment, at no additional cost, with sound software, such as
Audition, video editing with After Effects or web animation with Edge Animate.
Many balked at the idea of continually paying Adobe to use their products, but
after three years in service the complaints have diminished and it has become a
part of digital life (Shankland, 2012).
Along with all this expansion, subscriptions and transitions to the cloud
created problems for Adobe and its customers. In 2013, Adobe was hit with
a massive cyber attack that impacted at least 38 million Adobe users. The attack led to the reported theft of three million credit card records and tens of
millions of user accounts. Shortly after the attack, a 3.8Gb file, “users.tar.gz,”
n
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 21
was posted on AnonNews.org (an anonymous news-posting site) that contained 150 million usernames and hashed password pairs stolen from Adobe.
Along with the account theft, hackers stole the source code for Acrobat, Acrobat Reader and ColdFusion. A password-protected file was uploaded to anonnews.org with the name, “ph1.tar.gz.” Forensic experts were not able to crack
the password. A newer file, with the same name and without protection, was
later posted containing the source code for Photoshop. Adobe offered its affected customers free credit protection for a year. The protection was offered
through Experian, which was earlier tricked into selling consumer records to
an online identity theft service (Krebs, 2013).
Stealing customer data and software source code is a lucrative undertaking
for several reasons. Obviously, stealing credit card information or user login information gives the hackers access to personal financial data. Source codes are
commodities that can be sold and traded on the dark web. With the source code,
hackers can develop exploits and sell those to others for a fee. A zero-day exploit
(an first-used exploit that has not been previous employed) could be sold for
$50,000. Having the source code allows the hackers to find more vulnerability
for later use. In the case of the stolen ColdFusion source code, the hackers could
compromise web servers at will (Higgins, 2013).
Photoshop and Acrobat are both available through the Adobe Creative Cloud
subscription service for 30-day trial periods. This makes using the programs,
and experimenting with them, very convenient and cost-effective. Adobe software is designed to work together. Whether one works in Photoshop, Illustrator,
InDesign or Audition, the commands and interface are all similar and transferring assets between them is a mostly seamless process (Perhiniak, 2012). Along
with Photoshop and Illustrator, Adobe InDesign is an application used by the
majority of graphic designers and publishers for page layout. QuarkXPress was,
for many years, the de facto tool of publishers, but Adobe took over the larger
share of the market with InDesign even though QuarkXPress had a 95% share of
the market when InDesign debuted (Girard, 2014). InDesign hasn’t presented
the forensic challenges that PDFs, Flash, ColdFusion and Photoshop have, but
it is interesting to note that, even in this seemingly innocuous program, there is
metadata embedded that can be analyzed (Wheeler, 2008).
22
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
Discussion of the Findings
T
was to examine how certain Adobe programs and files are manipulated for criminal intent. The most common
programs and file types examined are Photoshop, Acrobat, Flash, and
ColdFusion but covers some of the lesser known, but popular, programs, such
as InDesign and Illustrator and others. The research will address the following
problems and situations:
How are Adobe programs, primarily Photoshop, Acrobat, Flash and ColdFusion used for forensics and criminal purposes? What methods are used to
manipulate files for the purposes of misleading people or altering perceptions?
What are some of the forensic signs of evidentiary tampering and how can authorities use this information to identify threats?
Adobe’s large number of programs and online subscription systems will lead
to more opportunities for threats and more opportunities to use the programs
to thwart those threats. Adobe has gone beyond creating applications for design,
such as InDesign and Illustrator. It now includes the Adobe Marketing Cloud,
used for marketing and analytics, to compete against IBM, SalesForce and Oracle in the cloud marketing market (Koetsier, 2014). It has also added solutions
for designers to host their creative portfolios with its acquisition of Behance,
which is described as the “LinkedIn for artists” (Dillet, 2012).
Adobe’s data breach in 2013 could have affected 150,000,000 records, far
larger than previously reported numbers of 38,000,000 (Ducklin, 2013). Adobe warned their customers by sending users an email explaining what had happened and that they had reset the users’ passwords and included a link in the
email to a password reset. Clicking a link in an email, especially if you weren’t
expecting such an email, is an invitation to being hacked due to user complacency. As “StephenJ798” quipped in a comment on Kelly Higgins’ post on InformationWeek’s Dark Reading site, “Hacking the Adobe Breach”:
he purpose of this research
Can I add that Adobe compounded their lack of security by sending unexpected emails to 3 million people with a request to change their security
details by clicking on a link in the same email? I cannot confirm that anyone has used this fact to try to get login and other information from Adobe
users but since support on the Facebook page is basically saying “just click
on the link” we have to hope that they will be getting an email with the
right link. If you see nothing wrong in what Adobe has done then you are
advised to reset your PayPal Password here. (StephenJ798, 2013)
What makes the Adobe breach more troubling is that many people re-use
passwords from account to account. For all the passwords used in the Adobe
accounts, and the records associated with them, duplicates of this information appear in other systems, sometimes many times over. Even though Adobe
required password resets after the hack, those duplicate passwords are used
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 23
elsewhere. As a result, many people who changed their Adobe password have
not chosen to change them across all accounts, which allow the hackers to hack
many other accounts, via just one channel. Unfortunately, many people do not
practice safe password habits when choosing their passwords. “Password” is a
common password and so are regular dictionary words, which can be guessed
or gleaned through social engineering. Two-factor authentication is a better
way to proceed. With this method the password is teamed-up with another
form of identification (Levin, 2014).
Flash
F
lash is one of the most widely installed software applications in the world
and is found on different browsers for both Windows and Macs. Hackers
make use of Flash’s SWF files as vectors of re-usable delivery systems. This
makes the number of exploitable software/browser/platform combinations significantly higher than other vulnerabilities (Omansky, 2015).
McAfee Labs, a division of Intel Security, in its May 2015 report states: the
increase in Flash vulnerabilities is due, in part, to “a steep increase in mobile
devices that can play SWF files (Beeck et. al., 2015).”
McAfee’s statement about Flash exploits increasing due to mobile use is
over-stated. Although it is possible, in certain circumstances, to play SWF files
on a mobile device, it requires third-party add-ons, and will play SWF files
from an SD card. There is no widespread “user-friendly” method of playing
SWF on mobile devices that the general public would use. The Google Play
app store does not carry an Adobe Flash Player. It states on the download page
for the third-party app, SWF Player by BitLabs LLC:
Play your flash files (SWF) from your SD-card with this simple player. This app is a Flash file viewer. You need to install Flash® Player
Plugin to use this app to play your SWF Flash files. You can play
your Flash animations, apps and games with this Flash file viewer. Adobe discontinued the Flash® Player Plugin for mobile devices,
but with SWF Player you will be able to play your SWF Flash files.
(SWF Player, 2014)
Playing SWF files on an iPhone is a challenge. Since iPhones do not support Flash, users need to use third-party systems to circumvent the block. Jihosoft offers third-party solutions, such as Cloud Browse, which is a paid web
browser that uses a virtual Firefox platform. The company also offers a converter that users can use to convert Flash to MPEG-4, which will play on an
iPhone. Solutions like this diminish what iPhone users want in their device:
a simple, ready-to-go device for all their communication and entertainment
needs. Requiring users to find, install and troubleshoot extra programs to view
Flash files is not a practical solution (“SWF to iPhone - How to Play Flash
SWF on iPhone 5,” n.d.).
24
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
Photoshop
P
hotoshop, by itself, is not generally used as a vehicle for malicious code. Threats perpetrated with
Photoshop are targeted to the mind.
Image manipulation preceded Photoshop and the digital age, but Photoshop has certainly made the results
of manipulation much more realistic and believable and has made the
chore much easier to perform. Before
the advent of Photoshop and computers, image manipulation was an
arduous process that required hours
of work manipulating images manually with airbrushes and ink.
There are methods to detect image manipulation conducted with
Photoshop. One telltale sign of image
manipulation is Error Level Analysis
(ELA). ELA works by resaving im- Figure 10: Error Level Analysis (ELA) shows image
ages at a 95% compression rate. The modification.
changes that are introduced are then calculated and areas of manipulation show
up brighter as they deviate from the original (“Photo Forensics,” 2013). The image from the Victoria’s Secret catalog was changed quite extensively as illustrated by the changes highlighted in white. The entire dress was modified, and, as it
has selectable colors on the original website, the color visible in the image is not
that of the original (see Figure 10).
Error Level Analysis can be
performed online at fotoforensics.com. By uploading a JPG or
PNG image to the site, the image
is analyzed for ELA. The image’s
metadata is also reported. The
user also has the option to select TinEye (“TinEye Reverse
Figure 11: Metadata from the Gaza photo that Krawetz
Image Search,” 2015), a web
uploaded to fotoforensics.com.
service (tineye.com) that can be
used to find any similar images online (“FotoForensics,” n.d.).
In 2013, a photo of mourners in Gaza (“Gaza Burial”), by Paul Hansen, was
selected as the World Press Photo of the Year-Spot News (“Gaza Burial, by Paul
Hansen,” n.d.). Experts were suspicious of the photo’s authenticity as they detected unusual light and shadows for the time of day it was purportedly taken.
Two forensics experts arrived at different conclusions. Neal Kawetz concluded
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 25
that there was significant alteration
to the image and that, based on
the XMP metadata, the image was
comprised of four different images
(see Figure 11). Forensic analyst
Hany Farid concluded that the photo (see Figure 12) did go through
alterations but it was no more than
“burning and dodging” to adjust
lightness as evidenced in Figure 12
(Anthony, 2013).
Using Photoshop for dishonest
purposes has been employed for
many years and makes it very easy
to perpetrate, leading many people
to believe what they are seeing to
be true until proven fake. One wellknown Photoshop fake, and maybe
one of the most insensitive, was the
“911 Tourist.” In the photo, a man
is seen standing by a rail on the
Figure 12: The Gaza mourners photo (left) and the ELA
Twin Towers as one of the hijacked
representation that shows extensive alterations (right).
planes approaches (see Figure 13).
The photo was meant as a “joke,” and was taken by Hungarian tourist Peter Guzil, who was in New York in 1997 (four years before the attack). He Photoshopped
the plane into the scene (note the timestamp.) The image spread virally via email
(“Famous Photoshopped Fakes,” n.d.)
Viewing photographs is a personal experience that gives them emotional
credibility. People associate images with personal experiences, values, biases
and assumptions causing a wide range of emotions to be exhibited. Cynthia Baron writes in her book Adobe Forensics:
We can feel the visual punch of a scene in a photo, on video, or on
TV hundreds of miles and years away. People who experienced the
collapse of the World Trade Center on television know how completely the event overwhelmed the physical space they were in as they
watched. (Baron, p. 28, 2008)
People are adept at recognizing patterns. German Neurologist and Psychologist Klaus Conrad described this tendency as “apophenia,” a type of “psychic
thought process.” Science historian Michael Shermer uses the term “patternicity.” In either case, apophenia is used to describe the phenomenon of seeing faces,
particularly in unlikely places. There are many reports of seeing the face of Jesus
Christ or the Virgin Mary in burnt toast, shower mold, motor oil or tree bark.
26
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
Similar to Wilson Key’s “subliminal persuasion,” people see what
they want to see (Poulsen, 2012).
In 1976, the Viking Mars
Orbiter sent back an interesting
image from its flyover of Mars.
When the area known as Cydonia Mensae was examined, something curious was detected (see
Figure 14). Photoshop’s Dust and
Scratches and Despeckle filters
were applied to the image and
then adjusted with Curves, and Figure 13: Peter Guzil in New York—1997.
what appeared seemed to be the face of an “Egyptian god.” The Martian god is
only a fanciful interpretation of reality as are the sightings of Jesus in breakfast
foods. Cynthia Baron explains, “It takes very little detail for us to form high-contrast shadows and reflections into features” (Baron, p. 323, 2008).
Photoshop and Acrobat are both available through the Adobe Creative Cloud
subscription service for 30-day trial periods. This makes using the programs, and
experimenting with them, very convenient
and cost-effective. Using a combination
of Photoshop and Acrobat, images can be
altered and hidden effectively. Figure 15
shows a two-layered image in Photoshop
CC (2014). The bottom (background) layer
is an image of a golf course. The secondFigure 14. Photoshop-enhanced image of
rock formation on Mars appears to be a face. ary layer is a solid black overlay.
The file is saved from Photoshop as a
PDF and then it is opened in Adobe Acrobat Pro XI (see Figure 16). Although
the image contains the golf course and the black overlay, only black is seen when
opening the PDF in Acrobat.
When the PDF is opened in
Photoshop, it retains the layers,
the black overlay can be unchecked, and the golf course is
revealed (see Figure 17).
This is a simple way to hide
an image and send it as a PDF
without drawing suspicion.
If the PDF is intercepted and
opened in Acrobat, the only Figure 15: Two-layer (yellow circle) image created in
thing that would be visible is Photoshop CC (2014).
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 27
the black overlay. The recipient would need to use Photoshop to be able to open the
image and show the layers. Acrobat’s Preflight panels do not
reveal the presence of the golf
course image (see Figure 18)
(Macharyas, 2015).
Another method of hiding
information is with OpenPuff.
OpenPuff can hide data in severFigure 16: The Photoshop image is saved as a PDF and
al
types of carriers, such as JPG,
opened in Adobe Acrobat Pro XI.
MP3, etc., and send it to the unsuspecting recipient. Without
knowing the information is in
there, an interceptor wouldn’t
know to look for it. The recipient
would have to have OpenPuff
and the authentication to extract
it (Zuckerman, 2013).
For several years, Photoshop
has been an essential forensic
tool for examiners and law enforcement personnel. A cottage
Figure 17: PDF, in Photoshop, retains the layers, which can be
industry has arisen to meet the
turned on and off (yellow circle) to reveal the hidden image.
training demand. Companies
such as Rocky Mountain Training offer Photoshop for Forensic Personnel courses for $600
(“Discover new dimensions in
digital imaging,” n.d.).
Training opportunities for
most Adobe products, and in
particular, Photoshop, can be
taken through Massive Open
Online Course (MOOC) providers, such as Udemy (“PhoFigure 18: Acrobat’s Preflight does not show background
toshop
Training Course,” n.d.),
image.
Alison (“Online Photoshop
Classes,” n.d.), freelance graphic designers on Craigslist (“Learn Graphic Design
using Adobe Photoshop - $200!!!,” 2015), or from Adobe itself (“Photoshop CC
tutorials,” n.d.). The MOOCs offer certifications of completion, but Adobe offers its own, highly valued, certifications. Beginners can earn the Adobe Certified
Associate (ACA), advanced users the Adobe Certified Expert (ACE), and those
28
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
looking to teach Adobe, the Adobe Certified Instructor (ACI) (“Adobe Certified
Expert Training,” n.d.). These courses, and certifications, are valuable for forensic examiners and law enforcement to add credence to their claims when analyzing images or presenting them as evidence in court. Adobe Certified Experts are
unique. A search of Photoshop ACEs in Florida returns only 29 results, the District of Columbia, zero (“Adobe Certified Expert Finder,” n.d.).
There are many books and CD guides for examiners to learn the workings
of Photoshop, such as Jim Hoerricks’ Forensic Photoshop (Hoerricks, 2008).
Hoerricks claims that Photoshop can withstand a “Swinton Six” challenge.
The Swinton Six refers to a 2004 Connecticut legal case, State v. Swinton,
in which Photoshop was used to create demonstrations of bite mark overlays
that showed that the defendant had bitten the victim (Guthrie & Mitchell,
2007).
Photographic evidence must pass the test of fairness and completeness. Prior to digital photography, film images had to pass this test as well, as physical
photographs could be altered, cropped, resized and distorted much like digital
images. For digital images to pass the test, the following checklist was developed
by Veronica Blas Dahir, manager of the Center for Research Design and Analysis at the University of Nevada, Reno (“Veronica Blas Dahir,” n.d.):
1. Completeness—Completeness of the photo is a common objection with
digital photos due to the rampant availability of cropping capabilities.
a. Cropping—is the photo unfairly cropped in the context for which it is used?
b. Can a small version of the photo be juxtaposed next to an enlarged
cropped portion?
2. Unfairness—Does the use of digital enhancement software raise unfairness
concerns because of:
a. Resizing
b. Reshaping
c. Cropping
d. Changes to lighting
e. Changes to color
f. Enlargements (e.g., to a size larger than life) (Dahir, p. 109, 2011)
Law enforcement, globally, will use Photoshop to hide their misdeeds. In
2013, four men were arrested for armed robbery in Greece. The media photographed them at the scene of the crime and it was evident that the police
had roughed them up. When the mug shots were released a few days later, the
suspects’ wounds were no longer apparent. Similar to Slate’s experiment in
which 26% of respondent “remembered” a non-existent handshake between
Presidents Obama and Ahmadinejad, the Greek officials were expecting the
public to accept their altered reality just because “they said so.” Public Order
Minister Nikos Dendias did admit that the images were Photoshopped, but
only to make the men “more recognizable” to the public (Feinberg, 2013).
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 29
Portable Document Format (PDF)
C
of a PDF file is not very complicated
and it can yield a lot of data, which can be used to create connections using
open source tools or the Internet. Metadata in PDF files is easy to view. Although there are several metadata tools, such as PDFwalker, PDFid, and PDFmetadata, simply checking the PDF’s Document Properties can provide a lot
of information. In the PDF, metadataadvisor.pdf (see Figure 19), downloaded
from msisac.cisecurity.org, the Properties Panel show the program that created it, the author of the document, the date it was created, and more.
The metadata in the PDF shows that
Margaret Morrissey created it. Morrissey
used Microsoft Word on a Mac on October
24, 2011 at 2:45:39 pm. That information
was useful in “following the trail” to find the
actual person who created the document, as
her name does not appear in the PDF content. With the name extracted from the metadata (see Figure 20), the location (Albany,
New York) referenced in the document, and
“cybersecurity initiatives” in the text, it is evidenced that the author of the PDF is Margaret Morrissey, Executive Assistant, New
York State Cyber Security, Albany, New York,
www.cscic.state.ny.us (Morrissey, 2011).
Figure 19: PDF document: Metadata:
Wepawet is a free online tool that can be
A Backdoor Into Organizations.
used for forensic examination of PDFs. The
Morrissey PDF was uploaded to wepawet.org
for analysis. The free online service returned a
report showing that metadataadvisory.pdf was
free of exploits (see Figure 21) (Cova, Kapravelos, Fratantonio, Kruegel, & Vigna, n.d.).
Digital signatures are a way of validating the authenticity of PDF documents. It
is easy to digitally sign a PDF by providing a
name and email address. Once the document
has been digitally signed it cannot be modified (Segura, 2013).
However, the PDF can be opened in PhoFigure 20: Metadata of PDF viewed with
toshop and some changes can be made. The
the Document Properties function in
Acrobat Pro XI.
headline was removed in the example and
saved back as a PDF (see Figure 22). Once opened in Acrobat, it appears to be a
valid, digitally signed PDF. The giveaway is if the reader tries to view the signing
certificate and is unable to do so. But, the altered PDF looks just like one would
expect it to without conducting any basic forensics on it.
30
onducting a forensic examination
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
If one were to view the Document
Properties of the altered and unaltered
PDFs, it would be obvious there is a difference (see Figure 23). Ms. Morrissey,
using her Mac OSX 10.6.8 system, created the original PDF file. The altered
PDF was produced via Photoshop. To
the casual observer, this information
would probably never be investigated
and the fraudulent PDF would be considered authentic and correct.
As diligent as forensic examiners can Figure 21: Wepawet analyzed the PDF and
reported it was clean.
be, it is sometimes not entirely possible to
be certain of the results. In the Obama Birth Certificate controversy, the document
was examined right down to the binary code to try to determine if it was fake or
not. There is still some doubt about its validity based on the metadata found in the
Figure 22: Left: Validly signed PDF. Right: Altered PDF, filtered through Photoshop, after the
headline was removed.
PDF that the White House provided.
WorldNetDaily writer Jerome Corsi
posted a PDF document based on research conducted by co-conspiracy
theorist, Garrett Papit, that makes a
case that, even though the PDF producer was identified as a non-Adobe
producer, it is possible that an earlier
iteration, before it was “Saved As…”
by the White House from Mac PreFigure 23: Metadata shows the PDF Producer for
each document is different, indicating that it had
view, could have been manipulated
been altered.
with an Adobe program, such as Illustrator. Papit conducted an experiment in which he took a Hawaiian birth certificate, manipulated it with Illustrator and saved it as a PDF through Mac Preview
to show that no Adobe metadata was retained (Papit, 2012).
Papit and Corsi, along with Sheriff Arpaio and Donald Trump, have been using the “fraudulent birth certificate” against President Obama for years simply to
make political points and feed their conspiracy-crazed ideals. Common citizens
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 31
and forensic examiners can use Adobe software for many benign purposes, but the
tools themselves can be perverted to present a political view of the user’s choosing. This tactic can easily backfire, however. Now that Donald Trump is himself
a presidential candidate, he has been asked to provide his long-form birth certificate, just as he demanded from President Obama. Trump refused (Gabbatt,
2015). Trump staffer Michael Cohen, responded to the Guardian’s request for
the document as the paper trying to “be funny” and that the request was “stupid”
(Gutentag, 2015). Donald John Trump claims to have been born June 14, 1946, in
Queens, New York. Whether he was or wasn’t we may never know, but a new army
of Adobe-armed cybersleuths will be ready to take up the call and analyze every
pixel and string of code in any document Trump may produce.
ColdFusion
W
WordPress, Joomla,
Drupal, straight HTML coded with Notepad, development tools such
as Dreamweaver, or even print-based programs such as QuarkXPress, and
ColdFusion are some tools used for website development. There are several
methods that can be used to determine how a website was built. One method is with the free online tool, BuiltWith. By entering the URL of the target
website, BuiltWith will produce a report that shows the website’s framework,
server, email service, advertising, analytics JavaScript libraries, mobile, video, widgets, and more.
Entering “Utica.edu” returns a report that shows that the site uses a ColdFusion framework. It shows that Utica.edu uses SWFobjects, a small JavaScript
file used for embedding Adobe Flash content, as well. By viewing the detailed
report, it is noted that Utica.edu first used ColdFusion in January 2011 and it
has been in use for four years. BuiltWith also shows comparison and general usage of the selected tool. The report shows a decline n ColdFusion sites and that
only 0.1% of the entire Internet is using ColdFusion (219,712 of 328,854,228).
By comparison, viewing a report of a website (Macharyas.com), created with the
more popular web tool, WordPress, shows an increase in use and 5% of the Internet using WordPress (16,380,242 of 328,854,228) (“UTICA.EDU Technology Profiler,” 2015).
Another method of determining how a site was built is by examining the
source code. Showing a site’s source code is a function of the browser. Apple
OSX Firefox users can open a window showing the source code by entering
command-U. By looking through the code, or by searching for a specific string,
the framework can easily be determined. By searching through the source
code of Utica.edu, the extension “.cfm” is found. This string containing “.cfm”
is found: “<a id=”header_C00F8FD8-E9B7-9AAE-1157C5D8D369EF89”
href=”/college/students.cfm” class=”showheader showheaderfocus”>Students</a>” is found in the source code of Utica.edu. Searching the code for all
instances of “.cfm” returns 62 results. This is the extension used by ColdFusion (“.CFM File Extension,” 2011).
32
ebsites are built with a variety of tools.
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
InDesign
M
any publications, such as Selling Power, The American Spectator and Today’s Campus switched from QuarkXPress to InDesign in the early 2000s.
InDesign hasn’t presented the forensic challenges that PDFs, Flash, ColdFusion
and Photoshop have, but it is interesting to note that, even in this seemingly innocuous program, there
is metadata embedded
that can be analyzed.
Editors and publishers
can use this metadata to
keep track of their employees’ work as the InDesign file is modified
(Wheeler, 2008). Figure
24 shows the September
2013 cover of The American Spectator magazine
Figure 24: Metadata derived from Adobe InDesign file.
InDesign file. Viewing
the metadata (“Adobe InDesign Component Information”) by holding down
the command key and selecting “About InDesign,” it is clear that this document
was originally created in July 2012 and modified several times. This could be an
indication of another’s work being appropriated and modified and passed off as
original work. This form of evidence would need to be corroborated with work
orders, time clocks, emails, etc.
Adobe software continues to expand and it becomes increasingly embedded
in our lives much the same as Microsoft and Google have become. Many people
just aren’t aware of it, though. People may have heard of Flash and PDF, and maybe know someone who uses Illustrator or InDesign, but Adobe reaches far and
wide. Many people do not realize how often they used Adobe programs. Even people who use some Adobe products for their work, such as InDesign and Photoshop, may not realize that they use more Adobe products elsewhere, such as Flash,
PDFs and ColdFusion and are exposed to the exploits inherent in those programs.
The Adobe Marketing Cloud, and its 2011 acquisition of Nitobi’s PhoneGap (a
framework that allows developers to create mobile applications using JavaScript,
HTML5 and CSS3), make Adobe a huge, unseen force, from the desktop to the
printed page, to the screen on the latest smartphone (Koetsier, 2015).
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 33
Future Research and Recommendations
T
of Adobe programs, systems, and corporate-customer relations and the threats that can be introduced into all
those components. Adobe products are grouped into “suites.” Each suite
is tailored to a specific purpose. As of this writing, Adobe suites consist of Adobe Marketing Cloud, Adobe Creative Suite, Adobe Creative Cloud, Adobe Technical Communication Suite, Adobe eLearning Suite, and Adobe’s discontinued,
but still used, programs such as PageMaker, FreeHand, GoLive, Streamline and
ImageReady (see Appendix B). Within these suites are the individual programs.
For example, the Adobe Marketing Cloud contains Experience Manager, Adobe
Analytics, Adobe Media Optimizer, Adobe Campaign, Adobe Target, and Adobe Social. All of these programs and modules can be used to introduce threats to
consumers and are used for nefarious purposes that contain important forensic
information that examiners can extract if they know how to parse the information
(“List of Adobe software,” 2015).
In October 2014, Adobe launched a suite of programs for use on mobile devices, beginning with Apple’s iOS. These “Capture” apps allow mobile device
users to experience Adobe programs on phones and tablets. The worked performed on the devices are non-destructive, with the original versions retained
in the Adobe Cloud. The results can then be integrated with desktop versions of
Adobe software, such as Photoshop. The mobile apps are offered free of charge,
but to use them an Adobe ID is required. As more people become Adobe users,
the risk for exploits grows along with it. Adobe has suffered catastrophic breaches in the past with its desktop-based and Cloud storage systems and mobile device usage for the masses will only expand that threat. Writing for Forbes, Anthony Wing Kosner shares this scenario:
his report covers a small portion
Imagine (as I am sure Adobe is) that your nine-year-old who loves Instagram starts using one of the new Adobe apps. Her Adobe ID will
become her portfolio and keepsake of her early creative development.
As she hones her skills, it may also help her get into college or land her
first job or freelance gig. (Kosner, 2014)
In June 2015, Adobe expanded their mobile device collection further by introducing Creative Cloud mobile apps for Android devices through the Google
Play app store. Formerly only available on Apple iOS, Android users can now
use Color CC, Photoshop Mix, Brush CC and Shape CC. With the inclusion
of Android devices, Adobe is now available on virtually any device worldwide,
which has far-reaching consequences for exploits in the United States and
abroad (Dove, 2015).
Photoshop will play an increasingly larger role in the future as 3D printing grows in popularity. Adobe has added new 3D features to Photoshop and
the future can only promise more. The newest version of Photoshop includes
34
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
3D mesh simplification for processing and performance improvements, 3D
bump maps for adding texture, and the ability to edit 3D color, which has been
a problem due to incompatibility with vertex colors, which are contained in
most 3D scans (Millsaps, 2015). Vertex colors, or “vcolor,” are RGB colors
with an added alpha channel that can be applied to every vertex of a mesh.
“Nerseus” explains on the IMVU 3D Social Network forum:
With vertex colors, you can “paint” on your model, and it will influence
the colors put on by the texture map. You could, for example, put one
texture on two walls but have each get different shadows. Or you could
model a lamp in the corner of your room and have it put “light” on the
wall. (Nerseus, 2011)
Photoshop is an essential tool for investigators to use in analyzing photographs. Even if the photos are of poor quality, a trained Photoshop user can
enhance the image in numerous ways by sharpening details, reducing shadows,
reducing blur or noise, or zooming, amongst others. Adobe software is more
than just what Adobe “ships in the box.” Plug-ins extends the products and
customizes them for each individual’s use. As industries increasingly use Adobe software for their purposes and hackers and criminals use the software for
their criminal purposes, Adobe software will need to be examined forensically
for many years. There are plug-ins available that can be added to Photoshop to
increase its usefulness to forensic examiners. Existing and pre-development
plug-ins and plug-ins are areas that will require future and sustained study.
One such plug-in is ClearID. ClearID is a non-destructive plug-in and can be
used to analyze stills and video. ClearID also hashes image automatically with
a SHA-1 hash for verification. ClearID is part of the dTective suite of tools that
can analyze many forms of image media (“ClearID Image Clarification for
Adobe Photoshop,” 2015).
The “Color Deconvolution” plug-in for Photoshop is used to recover erased
text, simulate infrared photography and remove stains in photo restoration cases. The “Warping” plug-in can change the perspective of a scene. For example,
an image of a parking lot taken from the vantage point of a truck can be altered
to show the vantage point from higher up, such as from a drone. The “Fourier
Transform” plug-in is useful for removing periodical patterns, such as halftone
screens. When applied to an image of a fingerprint, the image can be enhanced
when repeated pattern distortions are removed. The “Digitization” plug-in is
valuable for document analysis. For example, a copied document can be examined and the Digitization plug-in can be used to create coordinates of specks on
the image that can then be matched up to a suspected copier used for nefarious
purposes. It can also be used to compare printer output to determine whether a
suspected printer was used (“4N6site.com Forensic Photoshop Plug-ins,” n.d.).
Photoshop is a useful tool for cyberbullies. Summer Bias, writing for AOL
Digital Matters explains how Photoshop can be used as a tool of cyberbullying:
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 35
Thanks to mobile texting, blogs and social networking, the spread of information is so fast, easy and free that it makes the hallway gossip of
yesteryear look downright archaic. Kids don’t have to wait for a story
to pass from one person to another (to another) anymore. They can tell
one story to a thousand people with one single click. And, instead of just
whispering about who did what with whom, kids can now post photos or
videos of the act—easily obtained with cell phone cameras and possibly
manipulated with tools such as PhotoShop. (Bias, 2012)
Parents can use Photoshop to “shame” their own children as well. Akron,
Ohio mother, Denise Abbott did just that to her 13-year-old daughter Ava,
for airing her gripes on Facebook. Abbott used Photoshop to post an image
of Ava with a red “X” placed over her mouth with the following text: “I do
not know how to keep my (mouth shut). I am no longer allowed on Facebook
or my phone. Please ask why. My mom says I have to answer everyone that
asks” (Hinduja, 2012).
Criminals, forensic analysts, designers, photographers and regular people,
trying to prove a point, use Photoshop. In many instances, it is obvious that
there is criminal intent, but there are also
many cases, such as the Abbott case, that
Photoshop is used for personal retaliation,
sometimes directed at family matters. A
complete study of Photoshop’s uses, from
criminal intent to personal gripes, cyberbullying, and shaming is an area worthy of
additional study. Photoshop’s use can also
Figure 25: Photoshop used to alter high
school yearbook photo.
have unintended consequences. With all
the best of intentions, sometimes the use of Photoshop can be taken too far. An
all-girl’s high school yearbook photo of Reddit user “love_a_good_ood” was altered to a degree that the student lashed out on social media (see Figure 25).
Writing on Reddit, she posted:
I have a round face that I have grown to love and now I get my photo
back with a different face. The new photo no longer even looks like me
but rather a prettier twin sister.” (Mastroeni, 2015)
The psychological impact of Photoshop’s results would make for an interesting psychological abstract. Users of Photoshop will intentionally subvert an
image for criminal intent but sometimes there are unintended consequences.
The impact on society by Photoshop’s results is an area that can be studied further. Photoshop is so insidious that many people do not realize how it has been
used throughout history to alter reality or manipulate perception, as well as to
retaliate against one’s enemies.
Adobe products are available for Windows and Apple OS and are cosnidered
36
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
the de facto programs for creating many forms of documents and creative communications. However, this does not mean that the results created from these
products cannot be achieved by using other programs. There are several open
source programs that work almost identically to Adobe programs. Open Office
and Libre Office are open source programs that can be used in almost the same
way as Microsoft Office, but without the cost.
There are also open source tools are available that “mimic” Adobe products.
GIMP is an open source alternative to Photoshop. Although it does not currently support Pantone colors and there is no formal training or certifications for
GIMP users, GIMP is free. GIMP uses much less hard disk space and is compatible with Windows, Mac OS and Linux. GIMP can work with file formats such
as JPG and PNG just as Photoshop can, but its native file extension is XCF as
opposed to Photoshop’s PSD (Mikoluk, 2013).
Scribus is an open source alternative to InDesign (or QuarkXPress). It performs similarly to InDesign and can be used to create material much in the same
way. Although not in wide use for larger projects, Scribus is an acceptable option
for smaller projects, such as brochures and menus. Scribus does feature the ability to export PDFs with animation and interactive features. Although users cannot import native InDesign or QuarkXPress files, Scribus does support importing Microsoft Publisher files. Scribus native files use SLA as the file extension,
whereas InDesign uses INDD. Scribus runs on Windows, Mac OS and Linux, as
well, and like GIMP, it’s free (Huang, 2013).
Knowing about and learning how to use these open source tools is important
for forensic examiners and law enforcement. When faced with a hard drive full
of evidence, it may be easy to overlook a file with a name such as “badguy.xcf”
and not realize that this is an image file that can be easily opened with GIMP.
Or, when searching for an incriminating document and overlooking “ransomnote.sla” without realizing that the suspect was using Scribus for his criminal
enterprise. It is also important to use these programs to try to open files that
cannot be opened otherwise, such as using Scribus to open Microsoft Publisher
files. In certain circumstances, a similar program can open a file type that the
“go-to” program cannot. Learning these programs will enable examiners and
law enforcement to make quicker and more logical decisions when faced with
unusual files. Adobe’s large number of programs produce a large number of file
extensions. Many of these would be unknown to a forensic examiner and many
could have been produced by discontinued programs. Adobe’s discontinued
website-building program, GoLive, produces a SITE extension (“File Extension
.SITE Details,” n.d.). A complete list of Adobe file extensions, for supported and
unsupported, programs and their resulting file extensions should be compiled
for easy reference.
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 37
References
4N6site.com Forensic Photoshop Plug-ins. (n.d.). Retrieved from https://dl.
dropboxusercontent.com/u/6795661/4N6site/main.htm
Adobe – PageMaker Support Center. (n.d.). Retrieved from https://www.adobe.com/support/products/pagemaker.html
Adobe products | Adobe. (2015, July 4). Retrieved from http://www.adobe.
com/products/catalog.html
Adobe Systems Inc - Early History: Warnock And Geschke. (n.d.). Retrieved
from http://ecommerce.hostip.info/pages/4/Adobe-Systems-Inc-EARLY-HISTORY-WARNOCK-GESCHKE.html
Anthony, S. (2013, May 13). Was the 2013 World Press Photo of the Year faked
with Photoshop, or merely manipulated? Retrieved from http://www.
extremetech.com/extreme/155617-how-the-2013-world-press-photo-ofthe-year-was-faked-with-photoshop
Arogundade, B. (n.d.). Black History 1994: The O.J. Simpson Criminal
Murder Case Trial - “Time” Cover Deliberately Darkened Mugshot.
Retrieved from http://www.arogundade.com/oj-simpson-murder-trial-case-time-and-newsweek-magazine-cover-controversy-1994-oj-simpson-photo-manipulation.html
Baron, C. (2008). Adobe Photoshop Forensics : Sleuths, Truths, and Fauxtography. Boston, Massachusetts: Thomson Course Technology. Retrieved
from http://eds.b.ebscohost.com/ehost/ebookviewer/ebook/bmxlYmtfXzI2MzM2M19fQU41?sid=990b8d49-9676-46b4-90ab-6e07c81f6db5@
sessionmgr113&vid=0&format=EB&lpid=lp_vi&rid=0
Beeck, C., Matrosov, A., Paget, F., Peterson, E., Pradeep, A., Schmugar, C., …
Wosotowsky, A. (2015). McAfee Labs Threats Report. Santa Clara, California: Intel Security. Retrieved from http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf
Belcher, P. (2014, July 14). Glenn Beck’s The Blaze Site Serving Malicious Ads.
Retrieved June 30, 2015, from http://www.invincea.com/2014/07/glennbecks-the-blaze-site-serving-malicious-ads/
Bias, S. (2012, July 31). Cyberbullying - Cliques Who Click. Retrieved from http://blog.lifestore.aol.com/2012/07/31/cyberbullying-cliques-who-click/
Brodkin, J. (2011, December 9). Chrome sandboxing makes it the most secure
browser, vendor study claims. Retrievedfrom http://arstechnica.com/
business/news/2011/12/chrome-sandboxing-makes-it-the-most-securebrowser-vendor-study-claims.ars
Campbell, C. (2015, May 12). 5/12/2015 - Release - Flash Player 17. Adobe
Communities. Retrieved from https://forums.adobe.com/thread/1843037
.CFM File Extension. (2011, March 2). Retrieved from http://fileinfo.com/
extension/cfm
ClearID Image Clarification for Adobe Photoshop. (2015, May 12). Re38
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
trieved from http://www.oceansystems.com/forensic/forensic-Photoshop-Plugins/index.php
Conspiracy, D. (2011, May 31). Reply to Douglas Vogt. Retrieved from http://
www.obamaconspiracy.org/2011/05/reply-to-douglas-vogt/
Cova, M., Kapravelos, A., Fratantonio, Y., Kruegel, C., & Vigna, G. (n.d.).
Wepawet [Browser]. The Regents of the University of California. Retrieved
from http://wepawet.iseclab.org./
Crowsey, R. (n.d.). State v Swinton Sets New Guidelines for Computerized Evidence (p. 1). Hattiesburg, Mississippi: Crowsey, Inc. Retrieved from http://
www.crowsey.com/newsSub.php?news_id=2
Current PDF Threats. (2014, August 14). Retrieved from http://www.malwaretracker.com/pdfthreat.php
Cybersecurity complacency a leading cause of data breaches. (2014, July 31).
Retrieved from http://blog.trendmicro.com/cybersecurity-complacency-a-leading-cause-of-data-breaches/
Danchev, D. (2011, March 3). Report: malicious PDF files becoming the attack
vector of choice. Retrieved from http://www.zdnet.com/article/report-malicious-pdf-files-becoming-the-attack-vector-of-choice/
Dillet, R. (2012, December 21). Adobe Acquired Portfolio Service Behance For
More Than $150 Million In Cash And Stock. Retrieved from http://social.
techcrunch.com/2012/12/21/adobe-acquired-portfolio-service-behancefor-more-than-150-million-in-cash-and-stock/
Discover new dimensions in digital imaging. (n.d.). Retrieved from http://www.
rockymountaintraining.com/class_photoshop_forensics.php
Discover the Creative Cloud 2015 experience. (2015, July 4). Retrieved from
https://creative.adobe.com/plans
Dove, J. (2015, June 16). Adobe launches its first Creative Cloud mobile apps
on Android. Retrieved from http://thenextweb.com/apps/2015/06/15/
adobe-launches-its-first-creative-cloud-mobile-apps-on-android/
Ducklin, P. (2013, November 4). Anatomy of a password disaster - Adobe’s
giant-sized cryptographic blunder. Retrieved from https://nakedsecurity.
sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/
Du, M. (2013, November 5). Malicious PDF Analysis Evasion Techniques. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/
malicious-pdf-analysis-evasion-techniques/
Duncan, G. (2012, August 17). Adobe Flash for Android: Gone with barely a
whimper. Retrieved from http://www.digitaltrends.com/mobile/adobeflash-for-android-gone-with-barely-a-whimper/
Fallon, K. (2012, November 27). Fooled by “The Onion”: 9 Most Embarrassing
Fails. Retrieved from http://www.thedailybeast.com/articles/2012/09/29/
fooled-by-the-onion-8-most-embarrassing-fails.html
Famous Photoshopped Fakes. (n.d.). Retrieved from http://www.foxnews.com/
photoessay/0,4644,6636,00.html/#/photoessay/image/0220091154_M_
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 39
fakes_tourist_guy-jpg
Farid, H. (2011, August 10). Image Authentication and Forensics | Fourandsix
Technologies - Blog - Enhance – no, really. Retrieved from http://www.
fourandsix.com/blog/2011/8/10/enhance-no-really.html
FotoForensics. (n.d.). Hacker Factor. Retrieved from http://fotoforensics.com/
Gafford, R. (1958). The Operational Potential of Subliminal Perception. Retrieved from https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol2no2/pdf/v02i2a07p.pdf
Gallagher, S. (2013, April 16). ColdFusion hack used to steal hosting provider’s
customer data. Retrieved from http://arstechnica.com/security/2013/04/
coldfusion-hack-used-to-steal-hosting-providers-customer-data/
Gaza Burial, by Paul Hansen. (n.d.). Retrieved from http://www.worldpressphoto.org/collection/photo/2013/spot-news/paul-hansen
Girard, D. (2014, January 14). How QuarkXPress became a mere afterthought
in publishing. Retrieved from http://arstechnica.com/information-technology/2014/01/quarkxpress-the-demise-of-a-design-desk-darling/
Gitelman, L. (2014). Paper Knowledge: Toward a Media History of Documents. Duke University Press.
Goodin, D. (2015, February 4). As Flash 0day exploits reach new level of
meanness, what are users to do? Retrieved from http://arstechnica.com/
security/2015/02/as-flash-0day-exploits-reach-new-level-of-meannesswhat-are-users-to-do/
Greenberg, A. (2009, December 12). The Year’s Most-Hacked Software.
Retrieved June 1, 2015, from http://www.forbes.com/2009/12/10/adobe-hackers-microsoft-technology-cio-network-software.html
Guthrie, C., & Mitchell, B. (2007, September 26). THE SWINTON SIX:
THE IMPACT OF STATE v. SWINTON ON THE AUTHENTICATION OF DIGITAL IMAGES. Stetson Law Review. Retrieved from
http://www.stetson.edu/law/lawreview/media/the-swinton-six-the-impact-of-state-v-swinton-on-the-authentication-of-digital-images.pdf
Harley, R. (n.d.). James Vicary: Experiment & Overview. Retrieved from
http://study.com/academy/lesson/james-vicary-experiment-lesson-quiz.
html
Harshbarger, W. (2008, August 8). Fraudulent CNN emails contain links
to Trojan. Retrieved from http://www.purdue.edu/SecurePurdue/
news/2008/Fraudulent-CNN-emails-contain-links-to-Trojan.cfm
Hasidic Newspaper Photoshops Hillary Clinton Out Of Iconic Picture. (2011,
May 9). Retrieved from http://www.huffingtonpost.com/2011/05/09/hillary-clinton-der-tzitung-removed-situation-room_n_859254.html
Haugech. (2015, April 29). Forensic Scientist III/Quality Assurance Specialist–Latent Print Examiner Saint Paul Police Department Forensic Services
Unit Position Profile. City of St. Paul, Minnesota. Retrieved from http://
www.stpaul.gov/DocumentCenter/View/78532
40
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
Higgins, K. (2013, October 7). Hacking The Adobe Breach. Retrieved from
http://www.darkreading.com/attacks-breaches/hacking-the-adobebreach/240162362
Hinduja, S. (2012, May 1). Cyberbullying Your Own Kids to Punish Them.
Retrieved from http://cyberbullying.us/cyberbullying-your-own-kids-topunish-them/
Hoerricks, J. (2008). Forensic Photoshop. Jim Hoerricks. Retrieved from
http://www.blurb.com/b/196812-forensic-photoshop
Hoffman, C. (2014, January 8). Why Browser Plug-Ins Are Going Away
and What’s Replacing Them. Retrieved from http://www.howtogeek.
com/179213/why-browser-plug-ins-are-going-away-and-whats-replacingthem/
Hughes, D. (n.d.). Adobe ColdFusion for the Web Developer. Retrieved from
http://www.htmlgoodies.com/primers/database/article.php/3756161/
Adobe-ColdFusion-for-the-Web-Developer.htm
Jackson, V. (2013, December 13). Mysterious Death Related to Obama’s Fake
Birth Certificate. Retrieved from http://victoriajackson.com/10252/mysterious-death-related-obamas-fake-birth-certificate
Key, W. (1974). Subliminal Seduction. Signet.
Koetsier, J. (2014, March 25). Adobe turns marketing cloud up to 11 with
massive update, SAP deal, new mobile tools. Retrieved from http://venturebeat.com/2014/03/25/adobe-turns-marketing-cloud-up-to-11-withmassive-update-sap-deal-new-mobile-tools/
Koetsier, J. (2015, January 28). How Adobe is embedding its marketing cloud
into thousands of mobile apps—and soon more. Retrieved from http://
venturebeat.com/2015/01/28/how-adobe-is-embedding-its-marketingcloud-into-thousands-of-mobile-apps-and-soon-more/
Kosner, A. (2014, October 9). Adobe Launches Free Mobile Apps As Gateway
To Creative Professions. Retrieved from http://www.forbes.com/sites/anthonykosner/2014/10/09/adobe-launches-free-mobile-apps-as-gatewayto-creative-professions/
Krawetz, N. (2009, November 2). Body By Victoria. Retrieved from http://
www.hackerfactor.com/blog/index.php?/archives/322-Body-By-Victoria.
html
Krebs, B. (2013, October 29). Adobe Breach Impacted At Least 38 Million Users—Krebs on Security. Retrieved from http://krebsonsecurity.
com/2013/10/adobe-breach-impacted-at-least-38-million-users/
Krebs, B. (2014a, March 4). Thieves Jam Up Smucker’s, Card Processor. Retrieved from http://krebsonsecurity.com/2014/03/thieves-jam-up-smuckers-card-processor/
Krebs, B. (2014b, March 17). The Long Tail of ColdFusion Fail. Retrieved from
http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/
Krebs, B. (2015, March 12). Adobe Flash Player — Krebs on Security. Retrieved from http://krebsonsecurity.com/tag/adobe-flash-player/
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 41
Leurs, L. (2013, August 9). The History of PDF. Retrieved from http://www.
prepressure.com/pdf/basics/history
Levin, A. (2014, February 13). Why the Adobe Hack Scares Me—And Why It
Should Scare You. Retrieved from http://www.huffingtonpost.com/adam-levin/why-the-adobe-hack-scares_b_4277064.html
Lightstream. (2008, August 7). VIRUS WARNING—CNN top ten news stories serving up a trojan. Retrieved from http://freedomcrowsnest.wizardofthenorth.ca/viewtopic.php?f=1&t=73461
List of Adobe software. (2015, April 12). In Wikipedia, the free encyclopedia.
Retrieved from https://en.wikipedia.org/w/index.php?title=List_of_Adobe_software&oldid=656098746
Macharyas, J. (2015, March 8). Forensics of Adobe Software. Retrieved from
http://www.macharyas.com/2015/03/forensics-of-adobe-software/
Madrigal, A. C. (2012, April 3). Flash and the PDF: Computing’s Last Great
and Now Endangered Monopolies. The Atlantic. Retrieved from http://
www.theatlantic.com/technology/archive/2012/04/flash-and-the-pdfcomputings-last-great-and-now-endangered-monopolies/255403/
Mostreni, T. (2015, January 12). Student Fires Back After Yearbook Company Completely Alters Her Face With Photoshop. Retrieved from http://
www.pixable.com/article/yearbook-company-high-school-photoshop-70805/?utm_medium=partner&utm_source=facebook&utm_campaign=pixsesocial&ts_pid=2
McGladrey LLP. (2011). A New PDF Standard (Case Study) (p. 4). Minneapolis, Minnesota. Retrieved from http://www.adobe.com/showcase/casestudies/mcgladreydyn/casestudy.pdf
Meyer, G., & Massoudi, A. (2012, July 13). Wasendorf suicide note details
fraud. Financial Times. Retrieved from http://www.ft.com/cms/s/0/
a4e46d74-cd16-11e1-92c1-00144feabdc0.html#axzz3dtpOyisl
M, I. (2010, July). The Evolution of Adobe Flash: From 1996 to 2010. Retrieved from http://www.pxleyes.com/blog/2010/07/evolution-of-flashfrom-1996-to-2010/
Millsaps, B. (2015, April 17). Photoshop CC: Adobe Announces 3D Enhancements & Tools, Exemplified by 3D Printed Artworks of Veraart & Stewart.
Retrieved from http://3dprint.com/59018/photoshop-3d-enhancements/
Mimiso, M. (2015, June 9). Adobe Patches 13 Vulnerabilities in Flash Player.
Retrieved from https://threatpost.com/adobe-patches-13-vulnerabilities-in-flash-player/113222
Minnick, C., & Tittel, E. (2014, April 30). How Adobe Is Moving on From
Flash to Embrace HTML5. Retrieved from http://www.cio.com/article/2376661/internet/how-adobe-is-moving-on-from-flash-to-embracehtml5.html
Morra, S. (2013). Confirming the Integrity and Utility of Open Source Forensic Tools (UMI Number: 1549835) (pp. 32–33). Utica, New York: Utica
College. Retrieved from http://search.proquest.com.ezproxy.utica.edu/
42
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
pqdtlocal1008803/docview/1491381111/B0656A957BC345CAPQ/1?accountid=28902
Morrissey, M. (2011, October 24). Metadata: A Backdoor Into Multi-State
Information Sharing & Analysis Center. Retrieved from https://msisac.
cisecurity.org/resources/reports/documents/metadataadvisory.pdf
Nerseus. (2011, February 6). IMVU—View topic—What is Vertex Colors and
should I use it? Retrieved from http://www.imvu.com/catalog/modules.
php?op=modload&name=phpbb2&file=viewtopic.php&t=363860
New Survey Shows U.S. Small Business Owners Not Concerned About Cybersecurity; Majority Have No Policies or Contingency Plans. (2012, October
15). Retrieved from http://www.symantec.com/about/news/release/article.jsp?prid=20121015_01
O’Gorman, G., & McDonald, G. (2012). The Elderwood Project. Mountain
View, California. Retrieved from https://www.info-point-security.com/
sites/default/files/the-elderwood-project.pdf
Omansky, J. (2015). Adobe Flash: Zero Day Vulnerabilities. Retrieved from
https://youtu.be/N3_kBqTIc7M
Özkan, S. (n.d.). Microsoft » Word: Vulnerability Statistics. Retrieved from
http://www.cvedetails.com/product/529/Microsoft-Word.html?vendor_
id=26
Özkan, S. (2015, May 13). Adobe » Flash Player : Security Vulnerabilities. Retrieved from http://www.cvedetails.com/cve/CVE-2015-3093/
Photo Forensics: Detect Photoshop Manipulation with Error Level Analysis.
(2013, October 25). Retrieved from http://resources.infosecinstitute.com/
error-level-analysis-detect-image-manipulation/
Pierini, D. (2015, February 25). Day in the Life mastermind on 25 years of
Adobe Photoshop. Retrieved from http://www.cultofmac.com/313469/
day-life-series-mastermind-reflects-25-years-photoshop/
Perhiniak, M. (2012, April 11). How Do I Use Photoshop and InDesign Together?—Tuts+ Design & Illustration Tutorial. Retrieved from http://design.
tutsplus.com/tutorials/how-do-i-use-photoshop-and-indesign-together-psd-16039
Poulsen, B. (2012, July 31). Being Amused by Apophenia. Retrieved from
http://www.psychologytoday.com/blog/reality-play/201207/being-amused-apophenia
Powell, B. (2011, December 21). Rep. Posey’s Interview With “Proud
Birther” Victoria Jackson. Retrieved from http://politicalcorrection.org/
blog/201112210008
Rick. (2014, May 14). The Rise of Programmatic and the Death of Flash. Retrieved from http://current360.com/play/rise-programmatic-death-flash/
Saletan, W. (2010, May 24). The Ministry of Truth. Slate. Retrieved from
http://www.slate.com/articles/health_and_science/the_memory_doctor/2010/05/the_ministry_of_truth.html
Scan a paper document to PDF. (n.d.). Retrieved from http://help.adobe.com/
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 43
en_US/acrobat/X/standard/using/WS58a04a822e3e50102bd61510979
4195ff-7f71.w.html
Schonfeld, E. (2010, February 2). Adobe CTO Kevin Lynch Defends Flash,
Warns HTML5 Will Throw The Web “Back To The Dark Ages Of Video.”
Retrieved from http://social.techcrunch.com/2010/02/02/adobe-cto-kevin-lynch-defends-flash/
Security Updates Available for Adobe Flash Player. (2015, June 23). Adobe
Systems, Incorporated. Retrieved from https://helpx.adobe.com/security/
products/flash-player/apsb15-14.html
Segura, J. (2013, February 4). Digital certificates and malware: a dangerous
mix. Retrievedfrom https://blog.malwarebytes.org/intelligence/2013/02/
digital-certificates-and-malware-a-dangerous-mix/
Shankland, S. (2012, May 11). Adobe launches Creative Cloud subscription
service. Retrieved from http://www.cnet.com/news/adobe-launches-creative-cloud-subscription-service/
Shaw, R. (2013, November 20). Analyzing Malicious PDFs. Retrieved from
http://resources.infosecinstitute.com/analyzing-malicious-pdf/
“SNL”s Victoria Jackson falls to incumbents. (2014, August 7). Retrieved from
http://www.tennessean.com/story/news/politics/2014/08/07/snls-victoria-jackson-falls-incumbents/13755741/
Soltani, A., Canty, S., Mayo, Q., Thomas, L., & Hoofnagle, C. (2009).
Flash Cookies and Privacy (p. 8). Berkeley, California: University of California, Berkeley. Retrieved from http://ssrn.stanford.edu/
delivery.php?=728119126066067064069124066003095022025
045004018028059126003126101120124112009116086101020
1111020450510440851000680990940911120530870470210618001021103105005074064023079083010125117078000105069&EXT=pdf&TYPE=2
StephenJ798. (2013, October 8). re: Hacking The Adobe Breach. InformationWeek Dark Reading. Comment. Retrieved from http://www.darkreading.
com/attacks-breaches/hacking-the-adobe-breach/d/d-id/1140620?
Stofer, M. (2015). Unlock PDF [Online]. Berlin, Germany: IM Material. Retrieved from http://smallpdf.com/unlock-pdf
Story, D. (2000, February 18). From Darkroom to Desktop—How Photoshop
Came to Light. Retrieved from http://www.storyphoto.com/multimedia/
multimedia_photoshop.html
Swanson, A. (n.d.). Company Names as Verbs or Proprietary Eponyms: Do You
Use These Brand Terms? Retrieved from http://www.qualitylogoproducts.com/blog/company-names-as-verbs-brand-terms/
SWF Player. (2014). (Version 2.0.0) [Android 2.2 and up]. BIT LABS LLC. Retrieved from https://play.google.com/store/apps/details?id=air.br.com.
bitlabs.SWFPlayer&hl=en
SWF to iPhone - How to Play Flash SWF on iPhone 5. (n.d.). Retrieved from
http://www.jihosoft.com/flash-tutorials/swf-to-iphone.html
44
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
Tam, K. (2011, August 11). Photoshop Won’t Let You Work with Images of Currency? Retrieved from https://fstoppers.com/news/photoshop-wont-let-you-work-images-currency-7291
TinEye Reverse Image Search. (2015, July 3). Retrieved from https://www.tineye.com/
Trautman, E. (2014, April 19). RIP Flash: Why HTML5 Will Finally Take Over
Video and Web in 2014. Retrieved May 25, 2015, from http://thenextweb.
com/dd/2014/04/19/rip-flash-html5-will-take-video-web-year/
Trends.
(n.d.).
Retrieved
from
http://httparchive.org/trends.
php?s=Top1000&minlabel=Jan+20+2011&maxlabel=May+15+2015
UTICA.EDU Technology Profiler on. (2015, June 28). Retrieved from http://
builtwith.com/utica.edu
Van den Bergh, L. (2013, May 17). Adobe & Law Enforcement: Meet Sr. Solutions Architect John Penn II | PHOTOSHOP.COM BLOG. Retrieved
from http://blogs.adobe.com/photoshopdotcom/2013/05/celebratinglaw-enforcement-week-with-adobes-john-penn-ii.html
Veronica Blas Dahir. (n.d.). Retrieved from http://www.unr.edu/research-and-innovation/researcher-resources/veronica-dahir
Vogt, D. (2011, May 22). News Release: Expanded Analysis of Obama’s Certificate of Live Birth - May 22, 2011. Retrieved from https://www.scribd.
com/doc/55642721/News-Release-Legal-proof-that-President-Obamas-Certificate-of-Live-Birth-is-a-forgery
Wheeler, C. (2008, July 23). InDesign Forensics: What Your Editor Knows
about You. Retrieved from http://www.deke.com/content/indesign-forensics-what-your-editor-knows-about-you
Yegulalp, S. (2014, February 7). Adobe Flash: Insecure, outdated, and here to
stay. Retrieved from http://www.infoworld.com/article/2610420/adobe-flash/adobe-flash--insecure--outdated--and-here-to-stay.html
Zhang, M. (2015, May 14). Real or Photoshop: How Well Can You Spot Fake
Photos? Retrieved from http://petapixel.com/2015/05/14/real-or-photoshop-how-well-can-you-spot-fake-photos/
Zuckerman, E. (2013, January 29). Review: OpenPuff steganography tool hides
confidential data in plain sight. Retrieved from http://www.pcworld.com/
article/2026357/review-openpuff-steganography-tool-hides-confidential-data-in-plain-sight.html
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 45
Appendices
A
dobe publishes a large number of programs and systems and has discon-
tinued many others (“Discontinued products,” 2015). These lists illustrate
the large body of tools that exploits can be introduced into, tools that can
be used for forensic purposes and tools that can be used for benign and malicious
intent (“Adobe products | Adobe,” 2015).
Appendix A: Current/Supported Adobe products
• Adobe Access
• Acrobat Pro DC
• Acrobat Reader DC
• Acrobat Standard DC
• After Effects CC
• AIR
• Analytics
• Adobe Anywhere
• Audition CC
• Adobe Auditude
• Authorware
• Behance
• Bridge
• Campaign
• Adobe Captivate
• Adobe Connect
•C
entral Pro Output
Server
• ColdFusion
•C
oldFusion
Enterprise Edition
• ColdFusion Builder
• Color Lava
• Content Server
• Contribute
• CS Live
• Creative Cloud
• Creative Cloud for
Enterprise
•C
reative Cloud for
teams
• Creative Portfolio
• Creative Suite
• Digital Editions
•D
igital Publishing
Solution
• Director
• Distiller Server
• Adobe Document
Cloud
•A
dobe Document
Cloud for enterprise
• Dreamweaver CC
• Drive
46
• Eazel
• Edge Animate CC
•E
dge Code CC
(Preview)
• Edge Inspect CC
•E
dge Reflow CC
(Preview)
• Edge Web Fonts
• eLearning Suite
• Encore
• Experience Manager
• Export PDF
• Adobe Extension
Builder
• Fireworks
• Flash Builder
•F
lash Media Live
Encoder
•F
lash Media
Playback
• Flash Player
• Flash Professional CC
•F
lash Video
Streaming Services
• Flex
• Fonts
• Font Folio
• FrameMaker
•F
rameMaker
Publishing Server
•F
rameMaker XML
Author
•H
TTP Dynamic
Streaming
• Ideas
• Illustrator CC
• InCopy CC
• InDesign CC
• InDesign Server
• Ink & Slide
• JRun
• Kuler
• Adobe LeanPrint
• Lightroom
• Lightroom mobile
• Line
•L
iveCycle Enterprise
Suite
•A
dobe Marketing
Cloud
• Media Encoder CC
• Media Optimizer
•A
dobe Media Server
on Amazon Web
Services
•A
dobe Media Server
Extended
•A
dobe Media Server
Professional
•A
dobe Media Server
Standard
• Adobe Muse CC
• Nav
• OnLocation
• Output Designer
•O
utput Pak for
mySAP.com
• Ovation
• PageMaker
• Pass
• Adobe PDF Pack
•A
dobe PDF Print
Engine
• PhoneGap Build
• Photoshop CC
•P
hotoshop Elements
•P
hotoshop Elements
& Adobe Premiere
Elements
• Photoshop Mix
• Photoshop.com
• Adobe Playpanel
• Adobe PostScript
• Prelude CC
•A
dobe Premiere
Elements
•A
dobe Premiere
Express
•A
dobe Premiere
Pro CC
• Presenter
• Publish
• Revel
• RoboHelp
• RoboHelp Server
• Adobe Scout CC
• SearchCenter+
• Send & Track
• Send for Signature
• Shockwave Player
• Sketch
• Social
• Soundbooth
• SpeedGrade
• Adobe Story Free
• Adobe Story Plus
• Target
•T
echnical
Communication
Suite
• Typekit
• Type products
• Voice
• Web Fonts
• Adobe Web Hosting
• Web Output Pak
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
Appendix B: Discontinued/Unsupported Adobe products
\• Acrobat Elements
•A
crobat Elements
Server
• Acrobat Messenger
• Adobe Acrobat Basic
•A
dobe Form
Manager
•A
dobe Ideas for
Android
•A
dobe Media
Gateway
• Adobe OnLocation
• Adobe Stock Photos
• Adobe Type Set
• ATM Deluxe
• Authorware
• Collage
• CS Live services
• CS Review
• Creative Mark
• Debut
• Design Collection
• Dimensions
•D
reamweaver Server
Extension
•D
S Community
Edition
• DV Rack
• Flash Paper
• Fontographer
• FreeHand
• GoLive
• Graphics Server
• Homesite Tool
• InContext Editing
• Kuler for Android
• NetAverages
• Ovation
• PageMaker
• PDF Scan
• PhotoDeluxe
• Photoshop Album
• Adobe Premiere LE
• PressReady
•P
roduction Studio
Premium
•P
roduction Studio
Standard
• Proto
• Rapid e-Learning
Collection
• RoboInfo
• RoboPDF
•S
ecure Content
Servers
• Soundbooth
• Streamline
• Studio
• Type on Call
• Ultra
• Video Collection Pro
•V
ideo Collection
Standard
• Vlog It!
•V
isual
Communicator
PageMaker is erroneously listed in the supported programs, however, support for PageMaker was discontinued on August 1, 2011. It also appears in the unsupported program list, which is correct (“Adobe - PageMaker Support Center,” n.d.)
T
Colophon
his book was reproduced from a Capstone Project on The Malicious
and Forensic Uses of Adobe Software, by Jeffrey P. Macharyas, for the
Masters of Science Program in Cybersecurity and Computer Forensics at Utica College, Utica, New York.
This report adheres to the American Psychological Association
(APA) styles and was originally composed in Microsoft Word 2011, with
Times New Roman, 12 point, double-spaced. This edition was created using Adobe InDesign CC 2015 for page layout, Adobe Photoshop CC 2015
for image production and Adobe Acrobat DC for the final PDF document.
All work was performed on a 13” Apple MacBook Pro, late 2011 model, with
operating system version 10.10.3 Yosemite. References and citations were
compiled using the Zotero plug-in for Mozilla Firefox, version 40.0 (beta
channel) and resources were searched for using Google.
This edition was typeset using Chronicle Display, 11 point, with a
leading of 13. Every attempt has been made to provide credit for all sources
used in the production of this report.
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 47
About
Jeffrey P. Macharyas
Florida State University | Bachelor of Science
in Communications and Visual Arts—
Specialization in Advertising | 1983
Windows: XP-8.1, Linux: Ubuntu, Security
Onion, VMware: 6-7
Online Operations: HTML, CSS, Google Analytics, Twitter Analytics, WordPress
Miscellaneous Programs: Microsoft Office:
Word, Excel, PowerPoint. Open Source: Scribus,
Inkscape, GIMP. FTP, CRM
Certifications: AccessData Certified Examiner,
HubSpot Inbound Marketing, FEMA: Social
Media, Nat’l. Infrastructure, Dale Carnegie
Institute, Notary Public
COMPUTER FORENSICS
PROJECTS/RESEARCH
PROFESSIONAL
EXPERIENCE
•C
apstone Master’s Thesis: The Malicious and
Forensic Uses of Adobe Software
•O
pen Source Intelligence: Collected data to
develop profile of the subject using online and
personal interview sources
•C
yberbullying: A unique look at the cyberbullying “industry.” To be included as part of an
upcoming encyclopedia
•L
inux Forensic Tools: Various projects
involving installing and operating computer
forensic tools on Linux systems via the use of
VMware and Virtual Box, to operate in a secure
environment
• Peer Mentor: Worked with Utica College Cybersecurity online students to understand course
material and procedures via phone, Skype and
Google Hangouts. Recommended to be selected
as a teacher’s assistant at Utica College
•G
raphics: Redesigned The Moose, a style
guide for APA-style compliance to be used by
Utica College
Production Manager/Designer
Outdoor Sportsman Group
2013 – present
Stuart, Florida
EDUCATION
Utica College | Master of Science in Cybersecurity—Specialization in Computer Forensics | 2015
Rutgers University | Mini-MBA Graduate
Certificate—Social Media Marketing | 2012
PROFESSIONAL
PROFILE
Forensic Software: FTK, Wireshark, Internet
Evidence Finder, PRTK, RegEdit, Bless
Design Software: Adobe Creative Cloud:
InDesign, Photoshop, Illustrator, Dreamweaver,
Acrobat Pro, Edge Animate
Operating Systems: Apple OSX: Yosemite,
48
Ensure that Florida Sportsman magazine, one of
Outdoor Sportsman Group’s 15 titles, is produced
correctly and on time. Manage advertising and
production for 13 issues per year, as well as media
kits, websites, print and web ads. Design and write
interactive media kits and forms, advertisements,
trade show material and book illustrations. Troubleshoot technical issues.
Introduced an innovative “flipbook” concept
for newsstand customers, requiring careful planning and diligent coordination with in-house staff
and vendors to ensure all necessary specs and
production protocols were met.
Website design and developer for the Florida Fish
& Wildlife Foundation (floridafishingcampaign.com).
Creative Director/Writer
Contractor
2003-2014
Remote
Worked for a diverse set of clientele to produce
publications, websites, books, ads, logos, and other
marketing material. Applied knowledge of working
in different media to produce proper files and
maintain schedules and budgets. Selected projects:
•D
esigner for safeHands Hand Sanitizer.
Designed packaging, bottles, social media and
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
website elements. 2012-2014.
•W
riter/Art Director for The Pineapple Post
newspaper, designed, wrote, researched and
edited monthly community newspaper for
Ocala and Jensen Beach, Florida. 2012-2014.
•A
rt Director for The American Spectator
Designed and produced monthly magazine.
Redesigned the publication. Designed annual
reports, prototype issues, direct mail and books.
2003-2007 & 2012-2014.
•T
elephone pole designer for AT&T, field
assessments and AutoCAD engineering
drawings. Best Quality Award. 2012-2013.
•F
irst Art Director for the USO’s OnPatrol
magazine, a start-up publication for America’s
armed service members and families. Designed
brochures, one-sheets, books, challenge coins,
and other marketing material. 2009-2012.
Creative Director/Writer
Today’s Campus magazine
2007 – 2010
West Palm Beach, Florida
The Greentree Gazette was the magazine for
college business offices. Improved the design and
production of the publication and forged a closer
relationship with the vendors. To better reflect
the audience, re-branded the magazine to Today’s
Campus. Designed the logo and redesigned the
magazine to give it a more professional
appearance. A second publication, Student Loan
Buying Guide, was added in 2008. Designed and
produced approximately 200 pages per month.
• I nitiated and managed the company’s subscription qualification and renewal program, using
coverwraps, that generated qualified subscriptions for the first time
• Wrote and produced e-newsletters, email
blasts and analyzed results, wrote articles
for todayscampus.com
•M
anaged printers, editors, writers, and freelancers—reduced cost and improved turnaround time
Production Manager
Selling Power magazine
1997 – 2006
Fredericksburg, Virginia
Selling Power magazine, a publication for sales
professionals, grew from 72 pages per issue
to more than 200. Managed the production,
distribution and audio content of Selling Power
Live—an audio version of the magazine, with
circulation of 50,000. Transitioned the product
from cassette to CD and created innovated CD
inserts for inclusion in the magazine to bolster
subscriptions.
•C
onverted file delivery from PostScript to PDF
workflow, decreasing turnaround time and
improving quality control
•C
onducted press, bindery and shipping checks
at printing facilities for press runs of 260,000+
each month
•D
iscovered savings in mailing and shipping and
developed innovative mailing and packaging
methods by analyzing USPS regulations and
meeting with postal officials
•D
esigned and analyzed subscription renewal
efforts
•S
ingle-handedly created a reprints department—earning the company $60,000+ the first
year
•A
udio Publisher’s Association’s Best New Audio
for Selling Power Live—1998
NON-PROFIT/VOLUNTEER
•D
esigner/Seminar Speaker | Treasure Coast
YMCA | Stuart, Florida | 2011-2015
•W
ebsite Designer/Charter Member |
Treasure Coast Fencing Academy |
Port St. Lucie, Florida | 2008•Website Designer/Treasurer/Scout Leader/
Secretary/Unit Founder | Boy Scouts of
America | Orange, Virginia & Port St. Lucie,
Florida | 2000-2013
•W
ebsite Designer/Board Member | Little
League Baseball | Port St. Lucie, Florida |
2009-2010
•D
esigner/Communications Committee
Member | Lake of the Woods Association |
Locust Grove, Virginia | 2005-2007
•W
ebsite Designer/Teacher’s Helper | Orange
Schools | Orange, Virginia | 2004-2007 |
Volunteer of the Year-2006
[email protected] | www.Macharyas.com
Pronounced: muh-sha’-riss
CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 49
Do I think Photoshop is being used
excessively? Yes. I saw Madonna’s
Louis Vuitton ad and honestly,
at first glance, I thought it was
Gwen Stefani’s baby.
I find, the fancier the fashion magazine is,
the worse the Photoshop. It’s as if they
are already so disgusted that a human
has to be in the clothes, they can’t stop
erasing human features.
t i n a
50
f e y
THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE
THE
MALICIOUS
AND
FORENSIC
USES OF
ADOBE SOFTWARE
A Capstone Project Submitted to the Faculty of
Utica College • Utica, New York
www.utica.edu
August 2015
in Partial Fulfillment of the Requirements for the Degree of
Master of Science in Cybersecurity
This research examines how certain Adobe programs and files are
manipulated for deceptive practices. The most common programs
and file types examined are Flash, Photoshop, PDFs and ColdFusion.
This research also includes examination of some lesser known, but
popular, programs, such as InDesign and Illustrator. The research addreses the following problems and situations:
• How are Adobe programs, primarily Flash, Photoshop, PDFs and
ColdFusion used for forensics and criminal purposes?
• What methods are used to manipulate files for the purposes of
misleading people or altering perceptions?
• What are some of the forensic signs of evidentiary tampering and
how can authorities use this information to identify threats?
B Y J E F F R E Y P. M A C H A R Y A S