The Malicious and Forensic Uses of Adobe Software

MALICIOUS AND

FORENSIC USES OF

ADOBE SOFTWARE

THE

B Y J E F F R E Y P. M A C H A R YA S

THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE

by

Jeffrey P. Macharyas

A Capstone Project Submitted to the Faculty of

Utica College

August 2015

in Partial Fulfillment of the Requirements for the Degree of

Master of Science in Cybersecurity

CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS iii

Abstract

Adobe systems, inc. publishes a large number of software applications, cloud storage, analytic tools and marketing tools that are used worldwide. Ac-cording to Adobe, 99% of computers have Flash installed and 90% have

Acrobat or Acrobat Reader (for viewing Adobe Portable Document Format files [PDF]) installed. This is near universal use in the United States, but only 50% of computers in China and 25% of computers in Russia have PDF readers installed (Madrigal, 2012). In 2009, approximately 52.6% of targeted attacks used PDF exploits, compared with 65% in 2010, an increase of 12.4% (Danchev, 2011). Vul-nerabilities in PDFs jumped from 11 in 2008 to 39 in 2009 and increased to 68 in 2010, which was closely followed by 66 in 2013. According to Verisign, seven bugs were reported in 2007 for Adobe Reader, 14 in 2008 and 45 in 2009.

Moreover, Flash threats continue apace and so does Adobe’s attempts to patch them. Adobe released Flash Player 17.0.0.188 on May 12, 2015 (Linux ver-sion 11.2.202.460). In addition to some cosmetic fixes, Adobe included several se-curity fixes, which were categorized as “critical.” Photoshop is used to conceal and alter images and is also used to investigate images forensically. It has also become a tool of cyberbullies. The use of technology, such as Photoshop, to doctor images calls into question the believability of an image as a “document of social commu-nication” (Pierini, 2015). In 2013, a breach was made possible by a vulnerability in ColdFusion that Adobe claimed could “be exploited to impersonate an authen-ticated user” (Gallagher, 2013).

This research focused on the forensic value of some of the Adobe products as well as the means by which criminals use these products. Keywords: Cyberse-curity, Professor Christopher M. Riddell, Adobe, Photoshop, PDF, Adobe Flash, ColdFusion, InDesign, Steganography.

iv THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE

Acknowledgements

Thank you to Professor Christopher M. Riddell for the advice and assistance to make this report a success. A special shout-out goes to David Conway, my co-worker and editor at Florida Sportsman magazine, who went far beyond

proofreading the words to asking pertinent questions and prodding me to fully ex-plain the points I was making. Thank you Stanley Noneze. Stanley was my online Cybersecurity classmate and has become a friend of mine. Stanley encouraged me the entire way and kept me focused and tuned in to the cybersecurity world and I will be his second reader in Fall 2015. Thank you to Professor Steven Wray Wood for being my second reader all the way from Germany.

To my wife, Sheila, who pretended to listen to me when I would emerge from the laundry room and exclaim: “Holy cow! Adobe just updated Flash again!” And to my sons, Collin and Jack, who introduced me to Zotero, a browser plug-in for creating citations and references, and for granting me access to his Indian River State Col-lege library account to access books I could not find online, respectively.

But, above all, I would like to especially dedicate this report to Kenneth J. “K.J.” Moran, my brother-in-law, best man, co-worker, fencing instructor, positive influ-ence, and my sister’s husband. K.J. passed away, at only 53 years old, on January 23, 2015. He will be sorely missed.

CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS v

Table of ContentsList of Illustrative Materials ...................................................................................................vi

The Malicious and Forensic Uses of Adobe Software ..................................................1Flash ................................................................................................................................................2Photoshop .....................................................................................................................................5Portable Document Format (PDF) .....................................................................................6ColdFusion ...................................................................................................................................6

Literature Review ..........................................................................................................................8Flash ................................................................................................................................................8Photoshop ....................................................................................................................................11Portable Document Format (PDF) ...................................................................................18ColdFusion ................................................................................................................................20Adobe Cloud ...............................................................................................................................21

Discussion of the Findings ..................................................................................................... 23Flash ............................................................................................................................................. 24Photoshop ...................................................................................................................................37Portable Document Format (PDF) ..................................................................................30ColdFusion ................................................................................................................................ 32InDesign ..................................................................................................................................... 33

Future Research and Recommendations ....................................................................... 34

References ...................................................................................................................................... 38

Appendices ..................................................................................................................................... 46Appendix A – Current/Supported Adobe Products................................................... 46Appendix B – Discontinued/Unsupported Adobe Products .................................. 47

Colophon ......................................................................................................................................... 47

vi THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE

List of Illustrative MaterialsFigure 1 – Poor Photoshop manipulation found in Victoria’s Secret catalog .............11Figure 2 – Photo of Situation Room includes Hillary Clinton and Audrey Tomason .12Figure 3 –Clinton and Tomason removed from image in Der Tzitung newspaper ......12Figure 4 – Photoshop creation that looks realistic .............................................................13Figure 5 – Time’s Photoshopped image compared to Newsweek’s original .............13Figure 6 – Gilbey’s Gin advertisement showing suspected subliminal images ........14Figure 7 – Satirical cover of Tiger Beat featuring President Obama ...........................14Figure 8 – President Obama’s birth certificate ....................................................................16Figure 9 – ColdFusion’s botnet control panel listing many entries for SecurePay ........21Figure 10 – Error Level Analysis (ELA) shows image modification .......................... 25Figure 11 – Metadata from the Gaza photo uploaded to fotoforensics.com ............. 25Figure 12 – Gaza mourners photo and ELA representation shows alterations ...... 26Figure 13 – Peter Guzil in New York—1997 ......................................................................... 27Figure 14 – Photoshop-enhanced image of rock formation appears to be a face ... 27Figure 15 – Two-layer image created in Photoshop CC 2014 ....................................... 27Figure 16 – Photoshop image saved as a PDF and opened in Adobe Acrobat Pro XI . 28Figure 17 – PDF, in Photoshop, retains the layers, which can be turned on and ..... 28Figure 18 – Acrobat’s Preflight does not show background image ............................... 28Figure 19 – Original PDF: Metadata: A Backdoor Into Organizations ..................... 29Figure 20 – Metadata of PDF viewed using Document Properties Acrobat Pro XI ..30Figure 21 – Wepawet analyzed PDF and reported it was clean .....................................31Figure 22 –Validly signed PDF and altered PDF, filtered through Photoshop ........31Figure 23 – Metadata shows the PDF Producer for each document is different ....31Figure 24 – Metadata derived from Adobe InDesign file ............................................... 33Figure 25 – Photoshop used to alter high school yearbook photo ............................... 36

CAPSTONE PROJECT 2015 • UTICA COLLEGE • JEFFREY P. MACHARYAS 1

The Malicious and Forensic Uses of Adobe Software

Cyber threats are a pervasive problem in society and many people invite them in without realizing that some of the commonly used computer pro-grams and plug-ins are easy conduits for abuse. Flash, Photoshop, PDFs

and ColdFusion are some programs used by an unsuspecting society the pro-grams and are developed by Adobe Systems, Inc. Society also does not realize that criminals use these same programs to victimize them. According to Adobe, 99% of computers have Flash installed and 90% have Acrobat or Acrobat Read-er (for viewing Adobe Portable Document Format files [PDF]) installed. This number is near universal use in the United States, but only 50% of computers in China and 25% of computers in Russia have PDF readers installed (Madrigal, 2012). Although the installation numbers of Adobe products are lower in some countries, it is universally natural to share PDF documents via email or down-loads, view websites containing Shockwave Flash (SWF) videos or animation, or look at images that may have been altered with Photoshop. Adobe Flash and PDFs are common vectors that expose victims to malware, deception and obfus-cation without their knowledge.

The purpose of this research was to examine how certain Adobe programs and files are manipulated for deceptive practices. The most common programs and file types examined are Flash, Photoshop, PDFs and ColdFusion. This re-search also includes examination of some lesser known, but popular, programs, such as InDesign and Illustrator. The research will address the following prob-lems and situations:

• How are Adobe programs, primarily Flash, Photoshop, PDFs and Cold-Fusion used for forensics and criminal purposes?

• What methods are used to manipulate files for the purposes of misleading people or altering perceptions?

• What are some of the forensic signs of evidentiary tampering and how can authorities use this information to identify threats?

Some Adobe files, such as PDF (created from many different Adobe and non-Adobe programs) and SWF (created with Flash), have been in use since the 1990s and are notorious for abuse. They can, however, provide a wealth of fo-rensic evidence and authorities can use this information to identify threats and track down the sources.

Adobe programs are typically used for benign purposes, but criminals have been able to hijack the programs, and the files created by them, to serve their ma-licious needs. Conversely, forensics analysts and law enforcement are using the Adobe programs to thwart the criminal threats. Since exploits via Adobe prod-ucts are so pervasive, efforts need to be stepped up to be made to identify the threats and for law enforcement and analysts to learn the proper use of the tools to eradicate them. Symantec’s MessageLab released a report in 2011 that stated:

2 THE MALICIOUS AND FORENSIC USES OF ADOBE SOFTWARE

PDF files outpace the distribution of related malicious attachments used in targeted attacks, and currently represent the attack vector of choice, for malicious attackers compared to media, help files, HTMLs and executable files. PDFs now account for a larger proportion of docu-ment file types used as attack vectors. aApproximately 52.6% of targeted attacks used PDF exploits in 2009, compared to 65% in 2010, an in-crease of 12.4%. (Danchev, 2011)

Adobe has been a large target for criminals for many years. The mid-2000s were especially bad years for Adobe. In the early part of the century, however, Microsoft was a large target and it remained so for several years. According to Verisign, seven bugs were reported in 2007 for Adobe Reader, 14 in 2008 and 45 in 2009. By comparison, bugs found in Microsoft products remained flat or declined in the same period. Wolfgang Kandek, the chief technology officer of Qualys said of Adobe Reader in 2009, “It’s a huge focus for attacks now, around ten times more than Microsoft Office.” As a result of its complex code and its ubiquitous nature, TippingPoint researcher, Padram Amini, says, “It’s a very good playground for exploitation” (Greenberg, 2009).

Russell Wasendorf, Sr., the owner of Peregrine Financial Group in Iowa, used Adobe software for exploitation and was sentenced to 50 years in jail in 2012 for fraudulently reporting brokerage accounts of more than $200,000,000, when they only amounted to $10,000,000. Wasendorf re-quired that bank statements from US Bank be sent directly to him, unopened. He would then use a combination of scanners, ink-jet printers, Microsoft Ex-cel and Photoshop to create counterfeit statements before sending them to ac-counting (Meyer & Massoudi, 2012).

Flash

History is replete with flash exploits. In 2008, a phishing scheme, per-petrated by hackers, compromised 1,000 websites that served up a fake

Flash Player. Users were duped into clicking a link in an email that purported to be from the Cable News Network (CNN). The email pretended to show the Top 10 News Stories of the day and alerted the user that their Flash Player needed to be updated. This exploit was made more maddening to the victims by the endless loop created when “cancel” was clicked and returned the user to the first dialog box and then back and forth again with seemingly no way out (Lightstream, 2008). Once executed, it would install a program named “Anti-virus XP 2008.” The program was used to falsely claim that other viruses were detected and that the user needed to buy the full version in order to remove them. It would then install additional code that could be used for criminal in-tent as well (Harshbarger, 2008).

Flash presents serious privacy concerns. Most websites will enable cookies to be downloaded to the user’s computer. Cookies are downloaded to the user’s system to keep track of preferences, clicks, visits, etc. Flash also has the abili-


ty to download its own form of cookies, which operate, and appear, similar to HTML cookies. In fact, due to the similarity between Flash and website cookies, it is possible to “backup” website cookies with Flash cookies after the user has cleared their cookies from their source manually. Even with privacy set to block cookies, visiting sites and watching videos will download and store Flash cook-ies. On Windows systems, these cookies are found in %APPDATA%\Macrome-dia\Flash Player\#SharedObjects (Hofman, 2014). Typical web cookies store only 4kb of data, whereas Flash cookies, or “Local Shared Objects,” store 100kb of data. Unlike web cookies, LSOs are not visible through the browsers’ cookie manager (Brinkmann, 2007).

Companies claim that they do not collect personal data, only aggregated data over time and that this data can then be used to create profiles. Several class-action lawsuits have been filed alleging that Flash cookies were collecting data against the claimants’ wishes. One claimant, Sandra Person Burns, of Jack-son, Mississippi, states:

I thought that in all the instructions that I followed to purge my system of cookies, I thought I had done that, and I discovered I had not. My information is now being bartered like a product without my knowledge or understanding. (Vega, 2010)

Part of the problem is simply the public’s lack of awareness that such a thing exists. Emmy Huang, of Adobe, freely stated to the New York Times in 2009: “It is accurate to say that the privacy settings people make with regards to their browser activities are not immediately reflected in Flash Player” (Soltani, Canty, Mayo, Thomas, & Hoofnagle, 2009).

Adobe Flash is a favorite vector of attack due to its wide use. This is com-pounded by the fact that many people are negligent in managing their patches and upgrades, making Adobe Flash ripe for mayhem (Krebs, 2015). Flash’s de-mise has been predicted for some time, but still maintains popularity as a web player. Even though YouTube is transitioning to HTML5, it uses Flash as a fallback for video playback. Google Chrome will default to HTML5, but other browsers, such as Firefox, will default to Flash (Yegulalp, 2014).

The number of websites that include Flash components have been declining steadily. From January 2011 to May 2015, the top 1,000 sites’ inclusion of Flash have fallen from 50% to 34% (“Trends,” n.d.). Due in large part to the burgeon-ing mobile market, Flash will see its numbers continue to dwindle as more and more ads are converted from Flash to HTML5. Greater mobile device usage, without Flash, will eventually drive it out of use (Trautman, 2014).

Flash usage on mobile devices is not increasing. On August 16, 2012, Adobe removed Flash Player from Google Play for Android devices. Android was the phone of choice over Apple’s iPhone, in part, because Flash was available for it. Adobe offered updates until September 2013 and it was not available for An-droid version 4.1 (Jelly Bean) or newer because it would, according to Adobe,


“exhibit unpredictable behavior.” Apple’s primary objection to Flash was that it was a mouse-and-point program and did not lend itself to the touch-and-drag environment of mobile devices. Additionally, Flash is a drain on mobile device batteries and did pose significant security risks (Duncan, 2012).

Another drawback of Flash is that its code is a “closed container,” which makes it a dead end for Search Engine Optimization (SEO). When spiders and bots index websites and encounter Flash objects, they’re viewed as empty boxes. The Flash objects cannot be indexed and are useless for SEO (Rick, 2014).

HTML5, on the other hand, is coded more like a webpage with searchable tags that can be embedded. Search engines can find and index these, making it much more search-friendly, especially when searching for a particular bit of content within a video (Trautman, 2014). Although Apple CEO Steve Jobs stat-ed as far back as 2010 that Flash would be “no longer necessary,” it has been used since 1996 and has been installed and continues to be used by millions of people and it will continue to be a potential threat for years to come (M, 2010).

Flash threats continue at a quick pace and so does Adobe’s attempts to patch them as they arise. Adobe released Flash Player 17.0.0.188 on May 12, 2015 (Li-nux version 11.2.202.460). In addition to some cosmetic fixes, Adobe included several security fixes, which were categorized as “critical.” A “critical” rating is: “A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware” (Campbell, 2015). Moreover, MITRE Corporation’s CVE Details website assigns this vulnerability its high-est score of 10 because it can cause “Denial of Service Execute Code Overflow Memory Corruption” (CVE-2015-3090) and has 472 (as of June 2015) vul-nerabilities to its credit. 2015 is on track to be the worst year for Flash exploits, trumping other years in the number of vulnerabilities with 94 so far. This num-ber of exploits surpasses 2014’s record of 76, and, as of this writing, only half the year is over (Özkan, 2015).

Adobe released another update to fix 13 new vulnerabilities on June 9, 2015. Version 18.0.0.160 fixed bugs that were not publicly exploited. These vulnera-bilities could expose users of Flash Player to remote attacks that could allow hackers to access to the underlying system as well (Mimiso, 2015).

Two weeks later, on June 23, 2015, Adobe released another Flash update to address security concerns. This exploit targets Internet Explorer running on Windows 7 systems and below and older Firefox installations running on Win-dows XP. This update was version 18.0.0.194, released for Windows, Linux and Macintosh users (“Security Updates Available for Adobe Flash Player,” 2015).

On July 14, 2015, Adobe discontinued inclusion of Flash in Acrobat XI and Reader XI, with the release of version 11.0.12. Adobe’s Known Issues re-lease explains:

Acrobat and Reader no longer include Flash Player. Flash Player is nec-essary for Acrobat and Reader to display SWF files and Portfolio con-tent in PDFs. If your system doesn’t have Flash Player, and you want to


display SWF files and Portfolio content contained in PDFs, install Flash Player. If you open a PDF that requires Flash, a dialog prompts you to download and install the latest Flash player. (“Known issues,” 2015)

Photoshop

Photoshop, adobe’s popular photo-editing program, has been in use since the 1980s, when it was first developed in the basement of Ann Arbor,

Michigan college professor, Glenn Knoll. In February 1990, Photoshop 1.0 was launched and changed the digital image landscape forever (Story, 2000). Photoshop is unique among Adobe programs, as it is a useful tool for criminals as well as for forensic analysts and law enforcement agents who can use it to track criminals and collect evidence. Photographic evidence is increasing in volume and complexity with the explosion of low-cost digital cameras, tablets, smartphones and other devices capable of containing a camera. This adds to the complexity of authenticating evidence in law cases. Lucy Thomson, writ-ing for SciTech Lawyer explains how this technological advancement can be used for criminal intent and obfuscation:

Were the records altered, manipulated, or damaged after they were cre-ated? Changes to photographs and videos can be made using Photoshop or graphic design programs, while hackers can alter websites, change databases, and other electronic media. Often they cover their tracks by changing audit log records. (Thomson, 2013)

Because of the ubiquity and complexity of digital fraud, trained analysts are in demand. There are many resources available to train them in Photoshop’s fo-rensic uses. The City of St. Paul, Minnesota posted a job opening for a Forensics Analyst. This position required Photoshop skills and other forensic skills for the Forensics Analyst position. The posting read, in part: “Utilizes Photoshop, Au-tomated Fingerprint Identification Systems, lasers, cameras, analytical balanc-es, and various chemical and physical latent print development techniques to develop and compare latent prints (Haugech, 2015).” Adobe’s Senior Solutions Architect, John Penn II explains Photoshop’s use in law enforcement:

Sometimes, the critical clues are locked away behind sensor noise, poor lighting, blurry images or are in minute and hard to see details. Photoshop is a powerful tool in the hands of trained law enforcement, which can assist them in getting crucial information from digital me-dia. (van den Bergh, 2013)

Photoshop can be used to conceal or alter images and can be used to investi-gate images forensically. Photoshop is easy to learn for altering and investigating images. Fred Ritchin, founding director of the Documentary Photography and Photojournalism Program at the International Center for Photography in New


York City, warned that the use of technology, such as Photoshop, to be used to doctor images calls into question the believability of an image as a “document of social communication” (Pierini, 2015).

Photographs are two-dimensional representations of a three-dimensional world. When examiners analyze a 2D image, specialized skills are needed to extract information that can only be seen from a 3D perspective. It is import-ant that forensic analysts can convert a 2D depiction into a 3D perspective. For example, a car is parked at the scene of a crime. The image is viewed from the broadside of the car and shows the license plate, but the license plate cannot be read clearly. Photoshop’s filters can be used to “rotate” the scene to make the license plate readable. Photoshop has filters and plug-ins that allow examiners to enhance 2D images to show enough 3D detail and obtain the information de-sired. Photoshop’s “Vanishing Point” filter, for example, can be used to enhance 2D images enough to extract 3D perspectives from it (Farid, 2011).

Portable Document Format (PDF)

Pdf files are as common as JPG images. It would be nearly impossible for anyone not to encounter a PDF file in the regular course of using a comput-

er. Adobe founder John Warnock wrote about the promise of PDFs:

Imagine being able to send full text and graphics documents (newspa-pers, magazine articles, etc.) over electronic mail distribution networks. These documents could be viewed on any machine and any selected doc-ument could be printed locally. This capability would truly change the way information is managed. (Leurs, 2013)

Warnock’s comment was prescient. PDFs have changed the way informa-tion is managed. They have also increased methods and frequency of informa-tion that is mismanaged. PDFs are one of the most common vectors of remote exploitation. Victims can easily be sent PDFs in socially engineered emails, links to PDFs attached to websites, and drive-by exploitation by adding malicious PDFs to victim-visited websites (“Current PDF Threats,” 2014).

Vulnerabilities in PDFs jumped from 11 in 2008 to 39 in 2009 and increased to 68 in 2010, which was closely followed by 66 in 2013. For comparison, the popular Microsoft Word had three in 2008, one in 2009, 16 in 2010 and 17 in 2013 (Özkan, n.d.).

ColdFusion

Coldfusion is an adobe program that is used for web development. It was developed in 1995 but is still widely used today. ColdFusion’s appeal is

that it handles database management well and its coding language is famil-iar to web developers. ColdFusion allows developers to create large, enter-prise-class applications. ColdFusion has been a target of hacks in the past. In 2013, a breach was made possible by a vulnerability in ColdFusion that Ado-


be claimed could “be exploited to impersonate an authenticated user.” One of the hackers reported directly that Linode (a New Jersey-based virtual private server provider), a victimized company, had been hacked weeks before the dis-covery. This leads to the question whether there were many more, undetected, hacks (Gallagher, 2013).

Threats introduced through ColdFusion can have a negative effect on many people. Large corporate sites are built with ColdFusion framework and are used to collect personal data and financial information as a natural course of their Internet e-commerce systems. From 2013 to 2014, a hacking gang used Adobe ColdFusion vulnerabilities to build a botnet from e-commerce sites that were used to extract and collect customer credit card data. Several large companies were affected, including Smucker’s, SecurePay, and Minne-sota-based Elightbulbs.com, which was notified of the breach from their cred-it card processor, Heartland Payment Systems, themselves a target of a large breach in 2009 (Krebs, 2014b).


Literature Review

For more than 30 years, Adobe Systems, Incorporated, has been producing software that is used by graphic designers, photographers, videographers, sound editors, writers, architects, marketers, web developers and just about

every profession in the world. Former Xerox Palo Alto Research Center (PARC) employees John Warnock and Charles Geschke founded Adobe Systems, Inc., in 1982. The pair worked at the graphics and imaging lab and developed a system that renders type, lines and graphics on paper as it appears on a computer monitor. Dissatisfied with Xerox’ lack of interest in their project, PostScript, they left the company to create Adobe System which led to a revolution in electronic publish-ing and web development. (“Adobe Systems Inc - Early History,” n.d.).

Adobe increased the usefulness of PostScript by developing a system to dis-tribute documents similar in fashion to a fax, but with higher quality. In 1991, John Warnock released a proposal for “The Camelot Project” which was the precursor of the PDF. The goal of the Camelot Project was to develop a method to exchange visual communications between a wide variety of computers, oper-ating systems and networks (Gitelman, 2014).

Adobe products have become so ubiquitous that propriety eponyms have been derived from them: “Photoshop the image” to mean altering an image or “PDF it and send it to me” meaning to create a PDF from any number of pro-grams (Swanson, n.d.).

Flash

Adobe software vulnerabilities have a large impact on society due to the widespread use of the company’s products. Symantec’s director of securi-

ty response operations, Jonathan Omansky, says in his YouTube video, Adobe Flash: Zero Day Vulnerabilities:

Flash, as we know, is one of the most widely installed software applica-tions in the world on different browsers in both Windows and Macs. This makes the number of exploitable software browser platform combina-tions significantly higher than other vulnerabilities. (Omansky, 2015)

Hackers make use of Flash’s SWF files as re-usable delivery systems. The SWF file format is used to target the correct area of memory on the computer and specifies the parameters for delivering the Trojans. Some of these attacks used the name “Elderwood.” Using a common SWF file, the hackers can then deploy a new trigger and the SWF guides the hack. These attacks can include creation of email accounts, registration of domain names, information gather-ing, and stolen information analysis (O’Gorman & McDonald, 2012).

Flash exploits are so common and insidious that they are traded online amongst hackers. For a subscription fee, hackers can buy a “weaponized exploit” they can be plugged into websites of their choosing. In 2015, Flash was used to


deliver malware through advertising on popular websites, such as theblaze.com, nydailynews.com and dailymotion.com. The attacks target Windows users using Internet Explorer and Firefox. In the case of radio personality Glenn Beck’s #2 ranked political site, theblaze.com, malware was introduced via a Flash ad that redirected victims to a Polish recipe site which then was used to redirect adver-tising revenue directly to the botnet’s author.

The use of advertising to introduce malware in this fashion is referred to as “malvertising.” This particular exploit went by the names “kazy” and “kryptik” (Belcher, 2014). The underlying threats are present in Mac and Linux versions as well. Google Chrome offers added protection due to its embedded security sandbox (Brodkin, 2011). Safari users can install the third-party plug-in, Click-ToFlash, which prevents Flash from activating until authorized by the user to do so. Enabling automatic updates for Flash will keep up with the bug fixes when released (Cole, 2015). In July 2015, Alex Stamos, Facebook’s security chief, asked Adobe to discontinue Flash once and for all. “It is time for Adobe to an-nounce the end-of-life date for Flash,” Stamos tweeted.

Quickly following Stamos’ plea, Mark Schmidt, Mozilla’s support chief, tweeted that Flash will no longer be turned on in all versions of Firefox. Firefox users will now have to use another browser if they want Flash enabled. Schmidt did leave the door open for a return of Flash to Firefox, by stating, “To be clear, Flash is only blocked until Adobe releases a version which isn’t being actively exploited by publicly known vulnerabilities” (Goldman, 2015).

System76, Colorado-based manufacturers of Ubuntu (Linux)-based desktop and laptop computers, announced on its blog July 14, 2015, that they will no lon-ger be shipping systems with Flash pre-installed. They also recommend that their existing customers purge Flash from their systems by issuing the following via the Command Line Interface: “sudo apt-get purge flashplugin-installer.” They cite two reasons for doing this: First, Flash isn’t really needed to enjoy “the full web ex-perience,” and secondly, “security, security, security.” They also recommend that customers wanting to continue using Flash do so with Chrome (Derose, 2015).

Due to the rapid succession of Flash exploits and patches, a certain “Flash fatigue” has set in. There is evidence that hackers may be using Flash exploits to delivery crypto-ransomware as well. The threats have become so persistent that the best course of action for the public may be to disable Flash altogether (Goo-din, 2015). Between May and June 2015, Adobe had issued three new updates, with two of them coming within two weeks of each other.

Even after all of Flash’s vulnerabilities and the late Steve Jobs’ decision to exclude Flash from Apple’s mobile devices, Adobe defended its product and railed against its alternative: HTML5. In 2010, Adobe’s chief technology officer, Kevin Lynch, placed the blame on Apple’s obstinacy and predicted an early de-mise for HTML5. He wrote in his blog:

Adobe supports HTML and its evolution and we look forward to add-ing more capabilities to our software around HTML as it evolves. If


HTML could reliably do everything Flash does that would certainly save us a lot of effort, but that does not appear to be coming to pass. Even in the case of video, where Flash is enabling over 75% of video on the Web today, the coming HTML video implementations cannot agree on a common format across browsers, so users and content cre-ators would be thrown back to the dark ages of video on the Web with incompatibility issues. (Schonfeld, 2010)

Adobe has come to accept that HTML5 will eclipse Flash as the de facto video player. Adobe has been addressing shortcomings in HTML5 to stay rel-evant in the mobile market. Adobe hosted worldwide “hackathons” to recruit and train web developers to improve on HTML5. Adobe has added HTML5 capability to Flash Professional and has developed its own HTML5 rendering program, Edge Animate. Edge Animate has a What-You-See-Is-What-You-Get (WYSIWYG) interface, support for audio, video, responsiveness, and key-frames without the need for plug-ins. With 99% of desktop browsers using Flash, Flash will be in use for some time, but Adobe has joined the HTML5 transition and has become one of its biggest supporters. With HTML5 “baked into” browsers, users will no longer have to download a separate plug-in, and as in the case with Flash, update it constantly to plug the frequent vulnerabili-ties that come with it (Minnick & Tittel, 2014).

Due in part to its long lifespan, Flash continues to be a carrier of threats. McA-fee Labs, a division of Intel Security released a report in May 2015 that showed the increasing threats due to Flash. In the first quarter of 2015, 42 new vulnerabilities were found, up from 28 in Quarter 4 of 2014. This is the highest number of vulner-abilities reported in a Quarter for Flash. The report points out that the increase in Flash vulnerabilities is due, in part, to “a steep increase in mobile devices that can play SWF files (Beeck, Matrosov, Paget, Peterson, Pradeep, Schmugar, Simon, Sommer, Sun, Surgihalli, Walter, Wosotowsky, 2015).”

Exploits will continue as long as consumers and corporations fail to agree on standards of operation, update their software and systems, and learn about the threats and how to mitigate them. Complacency is a contributing factor that allows these exploits to continue. People take risks without taking simple precautions to avoid damage to themselves and their property. Complacen-cy is so entrenched that some security teams do not even know, nor care, if they’ve been breached (“Cybersecurity complacency a leading cause,” 2014). A 2012 study conducted by Symantec stated that 83% of US companies have no formal cybersecurity plan (“New Survey Shows U.S. Small Business Own-ers Not Concerned,” 2012).

Although Flash, and plug-ins in generally, are being phased out, many people will remain at risk due to their complacency and lack of knowledge concerning upgrades. There are updates foisted upon the general computer user constantly and many of these are ignored simply because people have no idea what they are or how to run them. The large variety of operating systems,


versions, browsers, plug-ins, add-ons and extensions creates a dizzying ar-ray of computer maintenance demands. There are so many options available that “calling the kid from down the street” to come fix a computer can be an increasingly daunting task that can result in more damage that it fixes. Chris Hoffman, writing for How-To Geek in 2014 explains it thus:

The Flash plug-in will be with us for a while longer, as it is still in such wide use, but all other plug-ins are on the brink of irrelevance. Even Flash is becoming less and less relevant thanks to mobile platforms without Flash support. This is fine by most plug-in developers—Ado-be has developed tools that export to HTML5 instead of Flash, Oracle probably wants the extremely insecure Java plug-in to go away and stop sullying their security record, and Microsoft is no longer interested in pushing Silverlight as a competitor to Flash. (Hoffman, 2014)

Photoshop

The public can be oblivious as well as complacent. Figure 1 shows a manip-ulated photo from Victoria’s Secret

that was produced poorly. It is apparent that the model is holding a handbag of some sort in her right hand, but the digital editor neglected to remove the straps. The tile on the floor behind where the bag was removed was also drawn back in poorly, and does not match the rest of the floor. Without having the original to compare it to, the general public would not be able to detect the alterations without closely ex-amining the image or without having any forensic abilities (Krawetz, 2009).

Alterations are more apparent if there is an original image to use for com-parison. During the raid on Osama bin Laden’s compound in 2011, members of President Barack Obama’s national se-curity team monitored the raid in real time from the Situation Room in the White House. Present were Secretary of State Hillary Clinton and Counterterrorism Director Audrey Tomason, the only two women in the room (see Figure 2). The image was published in newspapers and on websites worldwide with those two women clearly in the scene. However, due to its Orthodox Jewish religious beliefs, the Brooklyn, New York-based Hasidic newspaper, Der Tzitung, Photoshopped out the two female officials from the image (see Figure 3). By altering the photo, the news-paper violated the terms of use issued by the White House that accompanied

Figure 1. Poor Photoshop manipulation found in a Victoria’s Secret catalog.


the image on the photo-sharing site, Flickr. This was an example of Photoshop being used to alter reality to make the image fit into a group’s strict constraints. The newspaper defended its action in an email by stating:

In accord with our religious beliefs, we do not publish photos of women, which in no way relegates them to a lower status... Because of laws of modesty, we are not allowed to publish pictures of women, and we re-gret if this gives an impression of being disparaging to women, which is certainly never our intention. We apologize if this was seen as offensive. (“Hasidic Newspaper Photoshops Hillary Clinton,” 2011)

Technical skills and the software improvements have reached a point where it becomes almost impossible for people to distinguish the frauds created from reality. To illustrate this fact, Adobe published a tribute online to Photoshop by

displaying images, some of which were real and others that were Pho-toshop creations. The website vis-itors were given the opportunity to determine whether the image was real or a Photoshop creation. It can be difficult, or even impossible, to determine whether a photo is real or altered just by looking at it. Often, the skills of the photo-manipulator are good enough to create realis-tic alterations. These could include techniques such as shadow realign-ment, foreground-background per-spectives, color balances, and other subtleties. These techniques are difficult to detect by casual observa-tion. Photos can be altered by add-ing elements from other photos or by enlarging or reducing elements of a photo to change perspective. Fig-ure 4 shows an example of Adobe’s Photoshopped images in which a raw steak has been enlarged to cre-

ate the illusion that the girl is about to eat an enormous slab of uncooked meat (Zhang, 2015).

Manipulated images were thought to be an effective method to sell products through subliminal messages. “Subliminal Advertising” was a term developed by researcher James McDonald Vicary. He conducted experiments that pur-ported to prove that movie theatres that flashed messages such as “eat popcorn”

Figure 3. Secretary Clinton and Director Tomason removed from the image used in Der Tzitung.

Figure 2. Secretary Clinton and Director Tomason appear in the original photo.


or “drink Coca-Cola” would increase sales of their products. The results were astounding and led the Federal Commu-nications Commission to ban “sublimi-nal advertising” in 1974.

The Central Intelligence Agency (CIA) was prompted by the “results” to write The Operational Potential of Sub-liminal Perception and to write their own plans to use subliminal messaging. When confronted with the results and asked to support them, Vicary admitted that he fal-sified the data. “Subliminal advertising,” if it existed or not, had no effect on buyers (Harley, n.d.). The CIA report states its perception of subliminal messaging:

The desire here is not to keep him unaware of what he is doing, but rather to keep him unaware of why he is doing it, by masking the external cue or message with subliminal presentation and so stimulating an unrecog-nized motive. (Gafford, 1958)

On June 27, 1994, Time and Newsweek ran O.J. Simpson’s mug shot on their respective covers (see Figure 5). Newsweek ran the photo as submitted. Time,

however, used Photoshop to al-ter the image to make Simpson appear darker, and thus, more sinister. The graphic designer was instructed to make the image more “artful and compelling.” Time’s managing editor, James R. Gaines, regretted altering the photo after the backlash and the newsstand version of the maga-zine was pulled from shelves and replaced with the unaltered ver-

sion of Simpson’s mug shot. The subscriber version was mailed to subscribers with the darker image, making those copies collector’s items (Arogundade, n.d.).

Wilson Bryan Key built upon Vicary’s suppositions in his 1974 book on the subject of image manipulation, Subliminal Seduction. Key purported to see im-ages embedded in marketing and advertising that were of a sexual, violent or oc-cult nature. Key’s opinion was that these images were placed there on purpose. Many people were convinced that Key was correct but there many who were not. Key presented a lecture on subliminal advertising at Florida State University

Figure 4. Photoshop creation that looks realistic.

Figure 5. Time’s Photoshopped image compared to Newsweek’s original.


in 1982. He failed to convince many in the au-dience with his evidence that led some to walk out. One of Key’s examples was a 1971 adver-tisement for Gilbey’s Gin (see Figure 6). The ice cubes in the glass are arranged so that the letters “S-E-X” are seemingly formed from the cubes. Key further describes the scene:

The melting ice on the bottle cap could symbolize seminal fluid—the origin of life. The green color suggests peace and tran-quility after tension has been released. The modus operandi of the ad is to sell Gilbey’s through a subliminal appeal to latent voy-euristic or exhibitionistic tendencies with-in the unconscious minds of readers. The Gilbey’s orgy has also appeared on covers of several other national publications.” (Key, 1974, pp. 5-7)

The technology has advanced a great deal since the 1970s. With cheaper, personal computers and computer programs such as Photoshop, manipulating images is much easier. Although people should now be more aware of how eas-ily they can be fooled by manipulated images, the manipulators get away with it quite often. False images, just like false news stories from satirical sites such as The Onion, have made fools of people from world leaders and news organizations down to the common citizen. The New York Times was fooled when they accepted an al-tered, satirical Tiger Beat magazine cover featuring President Obama, alongside the Jonas Brothers and Va-nessa Hudgens (see Figure 7), in what The Onion claimed, was an appeal to tween voters (who are not old enough to vote). The New York Times ran a “real” article on it (Fallon, 2012). Slate conducted an experiment in which they altered four images, took one out of context and mixed them with real images to see how the im-

Figure 6. Gilbey’s Gin ad showing sus-pected subliminal images.

Figure 7. Satirical cover of Tiger Beat featuring President Obama.


ages affected people’s memories. One image showed President Obama shaking hands with Iranian President Mahmoud Ahmadinejad. The event never took place, but 26% of the respondents reported that they remember it when it hap-pened (Saletan, 2010).

Cynthia Baron, author of Adobe Photoshop Forensics, explains in her book’s introduction how easily society is duped:

Although we are now more visually literate and skeptical about “pho-tographic evidence” than our parents or grandparents, we can still be taken in by a good fake, especially if it’s a fake we want to believe. Perpe-trators take advantage of that all-too-human weakness and wreak much damage before their trick is discovered. (Baron, 2008, p. xiii)

One of the most malicious and common uses of Photoshop is counterfeit-ing. Photoshop is an ideal tool to use to create or enhance images of banknotes, identity cards, government forms, legal forms, historical records and other sensitive material that had been scanned or created digitally. Forensic exam-iners, with proper tools and training, can detect these types of frauds just as they did in the Wasendorf case. Adobe, at the behest of the government, added algorithms to Photoshop, from version CS2 and up, that can detect banknotes. It displays a dialog box that warns the user “this application does not support the printing of banknote images.” However, there are workarounds that can be employed. The user can first open the scanned image in Adobe’s discontinued image editor, ImageReady, and then import the file into Photoshop. The detec-tion of banknotes is based on an imprint known as the EURion constellation (or Omron rings). EURion is a pattern of symbols, such as yellow dots, that are incorporated into banknotes to thwart counterfeiting efforts, via scanning and Photoshop (Tam, 2011).

In 2011, Photoshop “evidence” was used in an attempt to bring down a sit-ting president. Douglas Vogt, an expert on scanners and image manipulating software, claimed that President Obama’s long-form birth certificate was a forg-ery created with Photoshop and was not an official document proving his “nat-ural birth” in Hawaii. His evidence included “curved type” that “proved” that information was superimposed onto another document with image-manipulat-ing software (see Figure 8). In his May 22, 2011 criminal complaint, Expanded Analysis of President Obama’s Certificate of Live Birth, Vogt claims:

I have irrefutably proven that the Certificate of Live Birth that President Obama presented to the world on April 27, 2011 is a fraudulently created document put together using the Adobe Photoshop or Illustrator pro-grams and the creation of this forgery of a public document constitutes a class B felony in Hawaii and multiple violations under U.S. Code section Title 18, Part 1, Chapter 47, Sec.1028, and therefore an impeachable of-fense. (Vogt, 2011)


In his complaint, Vogt specifies many examples of fraud and manip-ulation that support his claim. Fo-cusing on the imaging forensics as-pects of his claim, Vogt says that the Certificate of Live Birth (COLB) contains both binary (black-and-white) and gray-scale images in the PDF that was presented by Presi-dent Obama as proof of his “natural birth.” His assertion is that when documents are scanned, they are scanned as either binary (for text) or gray-scale (for images), but that this one contained both, which is “impossible.” He goes on to claim that the image contained straight and curved type, indicating that the original was scanned while it was still attached to a binder, which caused the paper to bend. The claim that the image was manipulated with Photoshop or Illustrator is easily refuted. Viewing the metadata of the PDF that the White House released, it showed that the PDF creator was “Mac OS X 10.6.7 PDFContext.” This would indicate that the PDF creator was anything but an Adobe product. Moreover, Adobe writes object IDs in numerical order but this PDF document was created with prefix and postfix numbering (Conspiracy, 2011).

PDFs can contain a variety of images. Vogt’s assertion that the PDF cannot contain both binary and gray-scale images is refuted by the very nature of how PDFs use “adaptive compression” or “adaptive optimization.” Adobe’s help page on scanning paper documents, using a scanner and Photoshop to create PDFs states:

Apply Adaptive Compression: Divides each page into black-and-white, gray-scale, and color regions and chooses a representation that pre-serves appearance while highly compressing each type of content. The recommended scanning resolutions are 300 dots per inch (dpi) for gray-scale and RGB input, or 600 dpi for black-and-white input. (“Scan a paper document to PDF,” n.d.)

Vogt’s claims against President Obama led to a cottage industry of what became known as “the Birther Movement.” The movement claims many well-known celebrities and high-ranking politicians, including real estate mogul and 2016 Republican presidential candidate Donald Trump, Maricopa Coun-ty, Arizona Sheriff Joe Arpaio, former Saturday Night Live comedian Victo-

Figure 8. President Obama’s birth certificate.


ria Jackson, former Colorado Congressman and gubernatorial candidate Bob Beauprez and many others. The movement has its own website, birtherreport.com, as well as some spin-offs, and continues to claim that President Obama is not qualified to be President of the United States because of the “fake” birth certificate and for other reasons.

The movement is extreme in its views and claims that acts of violence have been committed that help to advance its views of how malicious this perceived fraud has escalated. Victoria Jackson writes in her blog that the death of Hawaii Health Director Loretta Fuddy was related to Obama’s “fake” birth certificate and that she was killed as part of the larger “conspiracy” (Jackson, 2013).

The Birthers believe President Obama was born in Kenya and raised as a Muslim. A posting by Jackson on the “evils” of Islam had this response from her fan “ThomasThePaine”: “We need to start killing Muslimes on sight!” What makes Jackson even more dangerous (in addition to her popularity as a media star) is that she seeks political power. In 2014, she lost her bid for a seat on the Williamson County (Tennessee) Commission. Along with Beauprez, (who lost his bid for Colorado governor to incumbent John Hickenlooper) this would have added two more birthers to the ranks of government (“‘SNL’s Vic-toria Jackson falls to incumbents,” 2014).

However, Jackson does have a like-minded friend in Congress: Represen-tative Bill Posey (R-FL). Representative Posey introduced HR 1503 in 2009, a failed attempt at a “Birther Bill” requiring presidential candidates to sup-ply birth certificates, and any other “necessary” documentation upon filing to run. Jackson conducted an interview with Posey, who supported her claims about the Photoshopped birth certificate. Jackson was inspired by Posey and claimed that President Obama’s birth certificate was “the fakest birth certifi-cate” she’s ever seen. The law would have become effective in 2012, the year of Obama’s re-election (Powell, 2011).

The use of Photoshop has called into question legal precedents. In March 2001, Alfred Swinton was found guilty of the 1991 murder of Carla Terry, in Hartford, Connecticut. Terry’s body was found in a snow bank, partially clad and wrapped in a garbage bag. Examiners found what appeared to be teeth bite marks on her breast. During his trial, the defense argued that the Photoshop ev-idence presented was “altered” and that the technology’s veracity needed to be established. New rules, based upon the American Oil v. Valenti case, that adopt-ed rules of federal procedure to establish foundation, adjudicated years earlier, led to the Swinton Six characteristics (Crowsey, n.d.).

The Swinton Six characteristics, as defined by the Connecticut Supreme Court, are:

1. The computer equipment is accepted in the field as standard and compe-tent and was in good working order 2. Qualified computer operators were employed 3. Proper procedures were followed in connection with the input and output

of information


4. A reliable software program was utilized 5. The equipment was programmed and operated correctly 6. The exhibit is properly identified as the output in question (Hoerricks, n.d.)

The admission of digitally “enhanced” images has been brought into ques-tion in courts of law. For any digital evidence to be deemed worthy, the qual-ifications and competency of the digital technician must be beyond reproach. Moreover, the prosecutor and defense attorney must have a high enough level of expertise to evaluate and present the evidence. In 1994, digitally enhanced evidence was presented to the court in the case of The United States vs. Mosley. Maurice Mosley was charged with six counts of bank robbery. An FBI agent tes-tified that he took a still image from the video surveillance tape that recorded Mosley committing the crime and enhanced it. The agent was then able to detect a mark on Mosley’s face that matched a mark on his booking photo (Hak, 2003).

Mosley was convicted of bank robbery and appealed his conviction. In his appeal, Mosley asserted that the government erred in allowing FBI Agent Doug-las Goodin’s enhanced photographic evidence. In a Memorandum, the Ninth Circuit Court ruled:

Goodin, an agent with the Federal Bureau of Investigation, testified that he had subjected a bank photo of the robbery to digital imaging process-ing, a procedure that sharpens pictures. He informed the jury that, after sharpening the photo, he was able to detect a mark on the face of the rob-ber. He then compared this mark with a mark on Mosley’s face, which was visible in an arrest “booking” photograph, and described their sim-ilarities. The district court reasonably concluded that this testimony would assist the jury. (Appeals & Circuit, 1994)

Photoshop is also a useful tool for law enforcement when examining pho-tographic evidence of a crime scene. Photoshop’s “Vanishing Point” filter can be used to “rotate” a scene to make objects that are skewed become clearer. Photographs are two-dimensional facsimiles of reality. It is not possible to “look around the corner” in a photograph, but it is possible to use Photoshop to achieve similar results. By using a combination of filters and commands, the examiner can select an object, such as a license plate or a billboard, apply the Vanishing Point filter and “rotate” the object into view to make the informa-tion on it readable. It may not be possible to achieve this if there is not enough information to begin with. Contrary to depictions on television, it is unlikely that a reflection in a pair of glasses will yield enough pixels to “reassemble” the object in question (Farid, 2011).


Malware in pdf files has become pervasive. With ease of creating, dissem-inating and opening PDFs, this document format is ripe for exploitation.

It is very common for a person to receive PDF files via email, sometimes from


known sources and sometimes from seemingly innocuous sources. A mass email with a malware-infected PDF can be sent to thousands of people in seconds, with the effects not always realized once the PDF is opened. In the last few years, PDF attacks have doubled year-after-year (Shaw, 2013).

Malware is commonly introduced into PDFs by JavaScript actions. These actions are launched when the PDF is opened or printed. There are many tools available to analyze PDFs, both online and offline (Du, 2013). PDFiD is one such open source tool for malware analysis and forensic ex-amination. PDFiD examines PDFs to find instances of suspicious strings, even if the strings are obfuscated. PDFiD reduces large sets of PDF files into manageable sets, and separates the benign PDFs from the malicious ones. PDFiD can detect what a PDF file is capable of executing. Moreover, a tool such as Didier Stevens’ PDFparser can be used to see what tool actually ex-ecutes (Morra, 2013).

For forensics analysts and law enforcement, there are several methods avail-able to analyze PDFs for either malicious code or for intelligence gathering. The metadata stored within a PDF can provide some basic clues as to the creation and modification dates, the originating program, and sometimes the creator’s name. Additional metadata can also be found if the user entered the information manually, such as description, writer, keywords, etc.

Non-professionals and casual users of PDFs can benefit from open source tools to work with PDFs. PDFs can have varying levels of security added. A user can password-protect a PDF and deny the recipient taking ac-tions except viewing it. Printing, copying and editing are prohibited with-out the correct password. The user who protected the document can ben-efit from open source tools as well. An old PDF is retrieved with password protection, but the user has forgotten the password. In Acrobat’s Document Properties dialogue, the security settings can be reviewed. Here, it lists the settings, such as “password security” and the functions that are forbidden. It reports the encryption level, such as 128-bit RC4. A PDF of this type can be uploaded to the browser-based tool, Unlock PDF, which strips the password from the PDF and returns it to the user. The PDF can now be manipulated by the user’s choosing (Stofer, 2015).

McGladrey LLP, an accounting firm with more than 8,000 employees based in Minneapolis, Minnesota, has streamlined their document workflow to focus on Adobe Acrobat PDFs. Matt Corcoran, McGladrey’s desktop manager, de-scribes the challenges and complexity of their document management routine:

We are very geographically dispersed—and, as part of our entrepreneur-ial culture, users here are free to purchase or download tools in addition to our standard software image to meet their needs. To support our sub-stantial use of PDF, our accounting professionals had acquired a mix of many different versions of Adobe Acrobat software, as well as other PDF applications. (McGladrey LLP, 2011)


ColdFusion

Coldfusion is an adobe program that is used for web development. It was de-veloped in 1995 but is still widely used today. ColdFusion’s appeal is that it

handles database management well and its coding language is familiar to web developers. ColdFusion allows developers to create large, enterprise-class ap-plications and is used frequently by large corporations, government agencies and other institutions that maintain large databases that integrate with the Internet. ColdFusion is adaptable and can “talk” to other applications, such as .NET, Java classes, and legacy connectivity such as COM and CORBA. ColdFu-sion is a useful tool for creating forms. Forms can be coded just like in any other web development tool, but ColdFusion offers added validation options without adding unnecessary complexity (Hughes, n.d.).

ColdFusion is a target for hacks. In 2013, a breach was made possible by a vulnerability in ColdFusion that Adobe claimed could “be exploited to imper-sonate an authenticated user.” One of the hackers reported directly that Linode (a New Jersey-based virtual private server provider), the company victimized, had been hacked weeks before the discovery. This could be an indication that there were more hacks that went undetected. The element that was attacked is “cflogin,” its user authentication component. With this exploit, hackers were able to access Linode’s server and source code. In response, Linode issued a statement in a blog post:

No evidence decrypted credit card numbers were obtained and the en-cryption key for credit card data was not stored on the server and was not guessable, sufficiently long and complex, not based on dictionary words, and not stored anywhere but in our heads. (Gallagher, 2013)

The ColdFusion breach of 2013-2014 that affected Smucker’s and Secure-Pay acted similarly to that of the ZeuS virus. It would siphon information by slurping up passwords stored in the victim’s browser cache and conduct “form grabbing,” which is intercepting data entered into a form field before it has been encrypted and sent across the Internet to its destination. As victims were going through the online checkout process at Smucker’s, the virus would collect names, addresses, phone numbers, credit card numbers and verification codes (CVV). This virus confirmed an important aspect of Web security, in that no transaction is secure if only one end is compromised. This same group is believed responsi-ble for its attack on ColdFusion’s own publisher, Adobe Systems, Inc.

The control panel of the botnet includes the names of many companies. Some of them were reported infected in August 2013 and were still active up to, at least, March 2014, according to Brian Krebs. The botnet did infect at least one company that was driven out of business: TechnoCash.com.au. TechnoCash was also involved in an online drug bazaar on SilkRoad and under indictments from the United States Department of Justice.

Georgia-based SecurePay, whose assets were acquired from Pipeline Data


by Calpiancommerce.com, was heavily represented in the botnet’s control panel (see Figure 9). Pipeline’s New York data center had been running an outdated version of ColdFusion. When asked about the breach by Brian Krebs, CEO Tom Tesmer responded by saying, “We’re not aware of compromised cards.” When Krebs presented him with 5,000 records showing what the hackers stole, Tes-mer confirmed the attacked and responded:

That warning showed up while the system was not under our control, but under the control of the folks up in New York. We fired that alert over to the network guys up there and they said they were going to block that IP address, and that was the last we heard of that. (Krebs, 2014a)

Adobe Cloud

In 2012, Adobe launched the Adobe Creative Cloud. This move transitioned Adobe from selling perpetual licenses for boxed software to offering their pro-

grams on a subscription basis. Users pay a monthly fee, based on whether the user is a student, or a business, or some other specific entity. Subscription fees are priced from $10/month for individual use of Photoshop up to $80/month for the complete Creative Cloud set which includes Adobe Stock Photos (“Discover the Creative Cloud,” 2015). With the subscription, users can sign in to their Ado-be account online and download almost all the Adobe programs they want. In the past, a user would, for example, purchase InDesign in a box and then Photo-shop, Illustrator, etc. Adobe also offered different software collections for print designers, web designers, etc. With the subscription, a typical print designer us-ing InDesign can experiment, at no additional cost, with sound software, such as Audition, video editing with After Effects or web animation with Edge Animate. Many balked at the idea of continually paying Adobe to use their products, but after three years in service the complaints have diminished and it has become a part of digital life (Shankland, 2012).

Along with all this expansion, subscriptions and transitions to the cloud created problems for Adobe and its customers. In 2013, Adobe was hit with a massive cyber attack that impacted at least 38 million Adobe users. The at-tack led to the reported theft of three million credit card records and tens of millions of user accounts. Shortly after the attack, a 3.8Gb file, “users.tar.gz,”

Figure 9. The ColdFusion’s botnet control panel listing many entries for SecurePay.


was posted on AnonNews.org (an anonymous news-posting site) that con-tained 150 million usernames and hashed password pairs stolen from Adobe. Along with the account theft, hackers stole the source code for Acrobat, Acro-bat Reader and ColdFusion. A password-protected file was uploaded to anon-news.org with the name, “ph1.tar.gz.” Forensic experts were not able to crack the password. A newer file, with the same name and without protection, was later posted containing the source code for Photoshop. Adobe offered its af-fected customers free credit protection for a year. The protection was offered through Experian, which was earlier tricked into selling consumer records to an online identity theft service (Krebs, 2013).

Stealing customer data and software source code is a lucrative undertaking for several reasons. Obviously, stealing credit card information or user login in-formation gives the hackers access to personal financial data. Source codes are commodities that can be sold and traded on the dark web. With the source code, hackers can develop exploits and sell those to others for a fee. A zero-day exploit (an first-used exploit that has not been previous employed) could be sold for $50,000. Having the source code allows the hackers to find more vulnerability for later use. In the case of the stolen ColdFusion source code, the hackers could compromise web servers at will (Higgins, 2013).

Photoshop and Acrobat are both available through the Adobe Creative Cloud subscription service for 30-day trial periods. This makes using the programs, and experimenting with them, very convenient and cost-effective. Adobe soft-ware is designed to work together. Whether one works in Photoshop, Illustrator, InDesign or Audition, the commands and interface are all similar and transfer-ring assets between them is a mostly seamless process (Perhiniak, 2012). Along with Photoshop and Illustrator, Adobe InDesign is an application used by the majority of graphic designers and publishers for page layout. QuarkXPress was, for many years, the de facto tool of publishers, but Adobe took over the larger share of the market with InDesign even though QuarkXPress had a 95% share of the market when InDesign debuted (Girard, 2014). InDesign hasn’t presented the forensic challenges that PDFs, Flash, ColdFusion and Photoshop have, but it is interesting to note that, even in this seemingly innocuous program, there is metadata embedded that can be analyzed (Wheeler, 2008).


Discussion of the Findings

The purpose of this research was to examine how certain Adobe pro-grams and files are manipulated for criminal intent. The most common programs and file types examined are Photoshop, Acrobat, Flash, and

ColdFusion but covers some of the lesser known, but popular, programs, such as InDesign and Illustrator and others. The research will address the following problems and situations:

How are Adobe programs, primarily Photoshop, Acrobat, Flash and Cold-Fusion used for forensics and criminal purposes? What methods are used to manipulate files for the purposes of misleading people or altering perceptions? What are some of the forensic signs of evidentiary tampering and how can au-thorities use this information to identify threats?

Adobe’s large number of programs and online subscription systems will lead to more opportunities for threats and more opportunities to use the programs to thwart those threats. Adobe has gone beyond creating applications for design, such as InDesign and Illustrator. It now includes the Adobe Marketing Cloud, used for marketing and analytics, to compete against IBM, SalesForce and Or-acle in the cloud marketing market (Koetsier, 2014). It has also added solutions for designers to host their creative portfolios with its acquisition of Behance, which is described as the “LinkedIn for artists” (Dillet, 2012).

Adobe’s data breach in 2013 could have affected 150,000,000 records, far larger than previously reported numbers of 38,000,000 (Ducklin, 2013). Ado-be warned their customers by sending users an email explaining what had hap-pened and that they had reset the users’ passwords and included a link in the email to a password reset. Clicking a link in an email, especially if you weren’t expecting such an email, is an invitation to being hacked due to user complacen-cy. As “StephenJ798” quipped in a comment on Kelly Higgins’ post on Informa-tionWeek’s Dark Reading site, “Hacking the Adobe Breach”:

Can I add that Adobe compounded their lack of security by sending unex-pected emails to 3 million people with a request to change their security details by clicking on a link in the same email? I cannot confirm that any-one has used this fact to try to get login and other information from Adobe users but since support on the Facebook page is basically saying “just click on the link” we have to hope that they will be getting an email with the right link. If you see nothing wrong in what Adobe has done then you are advised to reset your PayPal Password here. (StephenJ798, 2013)

What makes the Adobe breach more troubling is that many people re-use passwords from account to account. For all the passwords used in the Adobe accounts, and the records associated with them, duplicates of this informa-tion appear in other systems, sometimes many times over. Even though Adobe required password resets after the hack, those duplicate passwords are used


elsewhere. As a result, many people who changed their Adobe password have not chosen to change them across all accounts, which allow the hackers to hack many other accounts, via just one channel. Unfortunately, many people do not practice safe password habits when choosing their passwords. “Password” is a common password and so are regular dictionary words, which can be guessed or gleaned through social engineering. Two-factor authentication is a better way to proceed. With this method the password is teamed-up with another form of identification (Levin, 2014).

Flash

Flash is one of the most widely installed software applications in the world and is found on different browsers for both Windows and Macs. Hackers

make use of Flash’s SWF files as vectors of re-usable delivery systems. This makes the number of exploitable software/browser/platform combinations sig-nificantly higher than other vulnerabilities (Omansky, 2015).

McAfee Labs, a division of Intel Security, in its May 2015 report states: the increase in Flash vulnerabilities is due, in part, to “a steep increase in mobile devices that can play SWF files (Beeck et. al., 2015).”

McAfee’s statement about Flash exploits increasing due to mobile use is over-stated. Although it is possible, in certain circumstances, to play SWF files on a mobile device, it requires third-party add-ons, and will play SWF files from an SD card. There is no widespread “user-friendly” method of playing SWF on mobile devices that the general public would use. The Google Play app store does not carry an Adobe Flash Player. It states on the download page for the third-party app, SWF Player by BitLabs LLC:

Play your flash files (SWF) from your SD-card with this simple play-er. This app is a Flash file viewer. You need to install Flash® Player Plugin to use this app to play your SWF Flash files. You can play your Flash animations, apps and games with this Flash file view-er. Adobe discontinued the Flash® Player Plugin for mobile devices, but with SWF Player you will be able to play your SWF Flash files. (SWF Player, 2014)

Playing SWF files on an iPhone is a challenge. Since iPhones do not sup-port Flash, users need to use third-party systems to circumvent the block. Ji-hosoft offers third-party solutions, such as Cloud Browse, which is a paid web browser that uses a virtual Firefox platform. The company also offers a con-verter that users can use to convert Flash to MPEG-4, which will play on an iPhone. Solutions like this diminish what iPhone users want in their device: a simple, ready-to-go device for all their communication and entertainment needs. Requiring users to find, install and troubleshoot extra programs to view Flash files is not a practical solution (“SWF to iPhone - How to Play Flash SWF on iPhone 5,” n.d.).


Photoshop

Photoshop, by itself, is not gen-erally used as a vehicle for mali-

cious code. Threats perpetrated with Photoshop are targeted to the mind. Image manipulation preceded Pho-toshop and the digital age, but Pho-toshop has certainly made the results of manipulation much more realis-tic and believable and has made the chore much easier to perform. Before the advent of Photoshop and com-puters, image manipulation was an arduous process that required hours of work manipulating images manu-ally with airbrushes and ink.

There are methods to detect im-age manipulation conducted with Photoshop. One telltale sign of image manipulation is Error Level Analysis (ELA). ELA works by resaving im-ages at a 95% compression rate. The changes that are introduced are then calculated and areas of manipulation show up brighter as they deviate from the original (“Photo Forensics,” 2013). The im-age from the Victoria’s Secret catalog was changed quite extensively as illustrat-ed by the changes highlighted in white. The entire dress was modified, and, as it has selectable colors on the original website, the color visible in the image is not that of the original (see Figure 10).

Error Level Analysis can be performed online at fotoforen-sics.com. By uploading a JPG or PNG image to the site, the image is analyzed for ELA. The image’s metadata is also reported. The user also has the option to se-lect TinEye (“TinEye Reverse Image Search,” 2015), a web service (tineye.com) that can be

used to find any similar images online (“FotoForensics,” n.d.).In 2013, a photo of mourners in Gaza (“Gaza Burial”), by Paul Hansen, was

selected as the World Press Photo of the Year-Spot News (“Gaza Burial, by Paul Hansen,” n.d.). Experts were suspicious of the photo’s authenticity as they de-tected unusual light and shadows for the time of day it was purportedly taken. Two forensics experts arrived at different conclusions. Neal Kawetz concluded

Figure 10: Error Level Analysis (ELA) shows image modification.

Figure 11: Metadata from the Gaza photo that Krawetz uploaded to fotoforensics.com.


that there was significant alteration to the image and that, based on the XMP metadata, the image was comprised of four different images (see Figure 11). Forensic analyst Hany Farid concluded that the pho-to (see Figure 12) did go through alterations but it was no more than “burning and dodging” to adjust lightness as evidenced in Figure 12 (Anthony, 2013).

Using Photoshop for dishonest purposes has been employed for many years and makes it very easy to perpetrate, leading many people to believe what they are seeing to be true until proven fake. One well-known Photoshop fake, and maybe one of the most insensitive, was the “911 Tourist.” In the photo, a man is seen standing by a rail on the Twin Towers as one of the hijacked planes approaches (see Figure 13).

The photo was meant as a “joke,” and was taken by Hungarian tourist Peter Guz-il, who was in New York in 1997 (four years before the attack). He Photoshopped the plane into the scene (note the timestamp.) The image spread virally via email (“Famous Photoshopped Fakes,” n.d.)

Viewing photographs is a personal experience that gives them emotional credibility. People associate images with personal experiences, values, biases and assumptions causing a wide range of emotions to be exhibited. Cynthia Bar-on writes in her book Adobe Forensics:

We can feel the visual punch of a scene in a photo, on video, or on TV hundreds of miles and years away. People who experienced the collapse of the World Trade Center on television know how com-pletely the event overwhelmed the physical space they were in as they watched. (Baron, p. 28, 2008)

People are adept at recognizing patterns. German Neurologist and Psychol-ogist Klaus Conrad described this tendency as “apophenia,” a type of “psychic thought process.” Science historian Michael Shermer uses the term “patternici-ty.” In either case, apophenia is used to describe the phenomenon of seeing faces, particularly in unlikely places. There are many reports of seeing the face of Jesus Christ or the Virgin Mary in burnt toast, shower mold, motor oil or tree bark.

Figure 12: The Gaza mourners photo (left) and the ELA representation that shows extensive alterations (right).


Similar to Wilson Key’s “sublim-inal persuasion,” people see what they want to see (Poulsen, 2012).

In 1976, the Viking Mars Orbiter sent back an interesting image from its flyover of Mars. When the area known as Cydo-nia Mensae was examined, some-thing curious was detected (see Figure 14). Photoshop’s Dust and Scratches and Despeckle filters were applied to the image and then adjusted with Curves, and what appeared seemed to be the face of an “Egyptian god.” The Martian god is only a fanciful interpretation of reality as are the sightings of Jesus in breakfast foods. Cynthia Baron explains, “It takes very little detail for us to form high-con-trast shadows and reflections into features” (Baron, p. 323, 2008).

Photoshop and Acrobat are both avail-able through the Adobe Creative Cloud subscription service for 30-day trial peri-ods. This makes using the programs, and experimenting with them, very convenient and cost-effective. Using a combination of Photoshop and Acrobat, images can be altered and hidden effectively. Figure 15 shows a two-layered image in Photoshop CC (2014). The bottom (background) lay-er is an image of a golf course. The second-ary layer is a solid black overlay.

The file is saved from Photoshop as a PDF and then it is opened in Adobe Acrobat Pro XI (see Figure 16). Although the image contains the golf course and the black overlay, only black is seen when opening the PDF in Acrobat. When the PDF is opened in Photoshop, it retains the layers, the black overlay can be un-checked, and the golf course is revealed (see Figure 17).

This is a simple way to hide an image and send it as a PDF without drawing suspicion. If the PDF is intercepted and opened in Acrobat, the only thing that would be visible is

Figure 13: Peter Guzil in New York—1997.

Figure 14. Photoshop-enhanced image of rock formation on Mars appears to be a face.

Figure 15: Two-layer (yellow circle) image created in Photoshop CC (2014).


the black overlay. The recip-ient would need to use Pho-toshop to be able to open the image and show the layers. Ac-robat’s Preflight panels do not reveal the presence of the golf course image (see Figure 18) (Macharyas, 2015).

Another method of hiding information is with OpenPuff. OpenPuff can hide data in sever-al types of carriers, such as JPG, MP3, etc., and send it to the un-suspecting recipient. Without knowing the information is in there, an interceptor wouldn’t know to look for it. The recipient would have to have OpenPuff and the authentication to extract it (Zuckerman, 2013).

For several years, Photoshop has been an essential forensic tool for examiners and law en-forcement personnel. A cottage industry has arisen to meet the training demand. Companies such as Rocky Mountain Train-ing offer Photoshop for Foren-sic Personnel courses for $600 (“Discover new dimensions in digital imaging,” n.d.).

Training opportunities for most Adobe products, and in particular, Photoshop, can be taken through Massive Open Online Course (MOOC) pro-viders, such as Udemy (“Pho-toshop Training Course,” n.d.), Alison (“Online Photoshop

Classes,” n.d.), freelance graphic designers on Craigslist (“Learn Graphic Design using Adobe Photoshop - $200!!!,” 2015), or from Adobe itself (“Photoshop CC tutorials,” n.d.). The MOOCs offer certifications of completion, but Adobe of-fers its own, highly valued, certifications. Beginners can earn the Adobe Certified Associate (ACA), advanced users the Adobe Certified Expert (ACE), and those

Figure 16: The Photoshop image is saved as a PDF and opened in Adobe Acrobat Pro XI.

Figure 17: PDF, in Photoshop, retains the layers, which can be turned on and off (yellow circle) to reveal the hidden image.

Figure 18: Acrobat’s Preflight does not show background image.


looking to teach Adobe, the Adobe Certified Instructor (ACI) (“Adobe Certified Expert Training,” n.d.). These courses, and certifications, are valuable for foren-sic examiners and law enforcement to add credence to their claims when analyz-ing images or presenting them as evidence in court. Adobe Certified Experts are unique. A search of Photoshop ACEs in Florida returns only 29 results, the Dis-trict of Columbia, zero (“Adobe Certified Expert Finder,” n.d.).

There are many books and CD guides for examiners to learn the workings of Photoshop, such as Jim Hoerricks’ Forensic Photoshop (Hoerricks, 2008). Hoerricks claims that Photoshop can withstand a “Swinton Six” challenge. The Swinton Six refers to a 2004 Connecticut legal case, State v. Swinton, in which Photoshop was used to create demonstrations of bite mark overlays that showed that the defendant had bitten the victim (Guthrie & Mitchell, 2007).

Photographic evidence must pass the test of fairness and completeness. Pri-or to digital photography, film images had to pass this test as well, as physical photographs could be altered, cropped, resized and distorted much like digital images. For digital images to pass the test, the following checklist was developed by Veronica Blas Dahir, manager of the Center for Research Design and Analy-sis at the University of Nevada, Reno (“Veronica Blas Dahir,” n.d.):

1. Completeness—Completeness of the photo is a common objection with digital photos due to the rampant availability of cropping capabilities.

a. Cropping—is the photo unfairly cropped in the context for which it is used?b. Can a small version of the photo be juxtaposed next to an enlarged

cropped portion?2. Unfairness—Does the use of digital enhancement software raise unfairness

concerns because of:a. Resizingb. Reshapingc. Croppingd. Changes to lightinge. Changes to colorf. Enlargements (e.g., to a size larger than life) (Dahir, p. 109, 2011)

Law enforcement, globally, will use Photoshop to hide their misdeeds. In 2013, four men were arrested for armed robbery in Greece. The media pho-tographed them at the scene of the crime and it was evident that the police had roughed them up. When the mug shots were released a few days later, the suspects’ wounds were no longer apparent. Similar to Slate’s experiment in which 26% of respondents “remembered” a non-existent handshake between Presidents Obama and Ahmadinejad, the Greek officials were expecting the public to accept their altered reality just because “they said so.” Public Order Minister Nikos Dendias did admit that the images were Photoshopped, but only to make the men “more recognizable” to the public (Feinberg, 2013).



Conducting a forensic examination of a PDF file is not very complicated and it can yield a lot of data, which can be used to create connections using

open source tools or the Internet. Metadata in PDF files is easy to view. Al-though there are several metadata tools, such as PDFwalker, PDFid, and PD-Fmetadata, simply checking the PDF’s Document Properties can provide a lot of information. In the PDF, metadataadvisor.pdf (see Figure 19), downloaded from msisac.cisecurity.org, the Properties Panel show the program that creat-ed it, the author of the document, the date it was created, and more.

The metadata in the PDF shows that Margaret Morrissey created it. Morrissey used Microsoft Word on a Mac on October 24, 2011 at 2:45:39 pm. That information was useful in “following the trail” to find the actual person who created the document, as her name does not appear in the PDF con-tent. With the name extracted from the meta-data (see Figure 20), the location (Albany, New York) referenced in the document, and “cybersecurity initiatives” in the text, it is ev-idenced that the author of the PDF is Mar-garet Morrissey, Executive Assistant, New York State Cyber Security, Albany, New York, www.cscic.state.ny.us (Morrissey, 2011).

Wepawet is a free online tool that can be used for forensic examination of PDFs. The Morrissey PDF was uploaded to wepawet.org for analysis. The free online service returned a report showing that metadataadvisory.pdf was free of exploits (see Figure 21) (Cova, Kaprav-elos, Fratantonio, Kruegel, & Vigna, n.d.).

Digital signatures are a way of validat-ing the authenticity of PDF documents. It is easy to digitally sign a PDF by providing a name and email address. Once the document has been digitally signed it cannot be modi-fied (Segura, 2013).

However, the PDF can be opened in Pho-toshop and some changes can be made. The headline was removed in the example and

saved back as a PDF (see Figure 22). Once opened in Acrobat, it appears to be a valid, digitally signed PDF. The giveaway is if the reader tries to view the signing certificate and is unable to do so. But, the altered PDF looks just like one would expect it to without conducting any basic forensics on it.

Figure 19: PDF document: Metadata: A Backdoor Into Organizations.

Figure 20: Metadata of PDF viewed with the Document Properties function in Acrobat Pro XI.


If one were to view the Document Properties of the altered and unaltered PDFs, it would be obvious there is a dif-ference (see Figure 23). Ms. Morrissey, using her Mac OSX 10.6.8 system, cre-ated the original PDF file. The altered PDF was produced via Photoshop. To the casual observer, this information would probably never be investigated and the fraudulent PDF would be con-sidered authentic and correct.

As diligent as forensic examiners can be, it is sometimes not entirely possible to be certain of the results. In the Obama Birth Certificate controversy, the document was examined right down to the binary code to try to determine if it was fake or not. There is still some doubt about its validity based on the metadata found in the

PDF that the White House provided. WorldNetDaily writer Jerome Corsi posted a PDF document based on re-search conducted by co-conspiracy theorist, Garrett Papit, that makes a case that, even though the PDF pro-ducer was identified as a non-Adobe producer, it is possible that an earlier iteration, before it was “Saved As…” by the White House from Mac Pre-view, could have been manipulated with an Adobe program, such as Il-

lustrator. Papit conducted an experiment in which he took a Hawaiian birth certif-icate, manipulated it with Illustrator and saved it as a PDF through Mac Preview to show that no Adobe metadata was retained (Papit, 2012).

Papit and Corsi, along with Sheriff Arpaio and Donald Trump, have been us-ing the “fraudulent birth certificate” against President Obama for years simply to make political points and feed their conspiracy-crazed ideals. Common citizens

Figure 21: Wepawet analyzed the PDF and reported it was clean.

Figure 22: Left: Validly signed PDF. Right: Altered PDF, filtered through Photoshop, after the headline was removed.

Figure 23: Metadata shows the PDF Producer for each document is different, indicating that it had been altered.


and forensic examiners can use Adobe software for many benign purposes, but the tools themselves can be perverted to present a political view of the user’s choos-ing. This tactic can easily backfire, however. Now that Donald Trump is himself a presidential candidate, he has been asked to provide his long-form birth cer-tificate, just as he demanded from President Obama. Trump refused (Gabbatt, 2015). Trump staffer Michael Cohen, responded to the Guardian’s request for the document as the paper trying to “be funny” and that the request was “stupid” (Gutentag, 2015). Donald John Trump claims to have been born June 14, 1946, in Queens, New York. Whether he was or wasn’t we may never know, but a new army of Adobe-armed cybersleuths will be ready to take up the call and analyze every pixel and string of code in any document Trump may produce.

ColdFusion

Websites are built with a variety of tools. WordPress, Joomla, Drupal, straight HTML coded with Notepad, development tools such

as Dreamweaver, or even print-based programs such as QuarkXPress, and ColdFusion are some tools used for website development. There are several methods that can be used to determine how a website was built. One meth-od is with the free online tool, BuiltWith. By entering the URL of the target website, BuiltWith will produce a report that shows the website’s framework, server, email service, advertising, analytics JavaScript libraries, mobile, vid-eo, widgets, and more.

Entering “Utica.edu” returns a report that shows that the site uses a Cold-Fusion framework. It shows that Utica.edu uses SWFobjects, a small JavaScript file used for embedding Adobe Flash content, as well. By viewing the detailed report, it is noted that Utica.edu first used ColdFusion in January 2011 and it has been in use for four years. BuiltWith also shows comparison and general us-age of the selected tool. The report shows a decline in ColdFusion sites and that only 0.1% of the entire Internet is using ColdFusion (219,712 of 328,854,228). By comparison, viewing a report of a website (Macharyas.com), created with the more popular web tool, WordPress, shows an increase in use and 5% of the In-ternet using WordPress (16,380,242 of 328,854,228) (“UTICA.EDU Technol-ogy Profiler,” 2015).

Another method of determining how a site was built is by examining the source code. Showing a site’s source code is a function of the browser. Apple OSX Firefox users can open a window showing the source code by entering command-U. By looking through the code, or by searching for a specific string, the framework can easily be determined. By searching through the source code of Utica.edu, the extension “.cfm” is found. This string containing “.cfm” is found: “<a id=”header_C00F8FD8-E9B7-9AAE-1157C5D8D369EF89” href=”/college/students.cfm” class=”showheader showheaderfocus”>Stu-dents</a>” is found in the source code of Utica.edu. Searching the code for all instances of “.cfm” returns 62 results. This is the extension used by ColdFu-sion (“.CFM File Extension,” 2011).


InDesign

Many publications, such as Selling Power, The American Spectator and To-day’s Campus switched from QuarkXPress to InDesign in the early 2000s.

InDesign hasn’t presented the forensic challenges that PDFs, Flash, ColdFusion and Photoshop have, but it is interesting to note that, even in this seemingly in-

nocuous program, there is metadata embedded that can be analyzed. Editors and publishers can use this metadata to keep track of their em-ployees’ work as the In-Design file is modified (Wheeler, 2008). Figure 24 shows the September 2013 cover of The Amer-ican Spectator magazine InDesign file. Viewing

the metadata (“Adobe InDesign Component Information”) by holding down the command key and selecting “About InDesign,” it is clear that this document was originally created in July 2012 and modified several times. This could be an indication of another’s work being appropriated and modified and passed off as original work. This form of evidence would need to be corroborated with work orders, time clocks, emails, etc.

Adobe software continues to expand and it becomes increasingly embedded in our lives much the same as Microsoft and Google have become. Many people just aren’t aware of it, though. People may have heard of Flash and PDF, and may-be know someone who uses Illustrator or InDesign, but Adobe reaches far and wide. Many people do not realize how often they used Adobe programs. Even peo-ple who use some Adobe products for their work, such as InDesign and Photo-shop, may not realize that they use more Adobe products elsewhere, such as Flash, PDFs and ColdFusion and are exposed to the exploits inherent in those programs. The Adobe Marketing Cloud, and its 2011 acquisition of Nitobi’s PhoneGap (a framework that allows developers to create mobile applications using JavaScript, HTML5 and CSS3), make Adobe a huge, unseen force, from the desktop to the printed page, to the screen on the latest smartphone (Koetsier, 2015).

Figure 24: Metadata derived from Adobe InDesign file.


Future Research and Recommendations

This report covers a small portion of Adobe programs, systems, and cor-porate-customer relations and the threats that can be introduced into all those components. Adobe products are grouped into “suites.” Each suite

is tailored to a specific purpose. As of this writing, Adobe suites consist of Ado-be Marketing Cloud, Adobe Creative Suite, Adobe Creative Cloud, Adobe Tech-nical Communication Suite, Adobe eLearning Suite, and Adobe’s discontinued, but still used, programs such as PageMaker, FreeHand, GoLive, Streamline and ImageReady (see Appendix B). Within these suites are the individual programs. For example, the Adobe Marketing Cloud contains Experience Manager, Adobe Analytics, Adobe Media Optimizer, Adobe Campaign, Adobe Target, and Ado-be Social. All of these programs and modules can be used to introduce threats to consumers and are used for nefarious purposes that contain important forensic information that examiners can extract if they know how to parse the information (“List of Adobe software,” 2015).

In October 2014, Adobe launched a suite of programs for use on mobile de-vices, beginning with Apple’s iOS. These “Capture” apps allow mobile device users to experience Adobe programs on phones and tablets. The worked per-formed on the devices are non-destructive, with the original versions retained in the Adobe Cloud. The results can then be integrated with desktop versions of Adobe software, such as Photoshop. The mobile apps are offered free of charge, but to use them an Adobe ID is required. As more people become Adobe users, the risk for exploits grows along with it. Adobe has suffered catastrophic breach-es in the past with its desktop-based and Cloud storage systems and mobile de-vice usage for the masses will only expand that threat. Writing for Forbes, An-thony Wing Kosner shares this scenario:

Imagine (as I am sure Adobe is) that your nine-year-old who loves In-stagram starts using one of the new Adobe apps. Her Adobe ID will become her portfolio and keepsake of her early creative development. As she hones her skills, it may also help her get into college or land her first job or freelance gig. (Kosner, 2014)

In June 2015, Adobe expanded their mobile device collection further by in-troducing Creative Cloud mobile apps for Android devices through the Google Play app store. Formerly only available on Apple iOS, Android users can now use Color CC, Photoshop Mix, Brush CC and Shape CC. With the inclusion of Android devices, Adobe is now available on virtually any device worldwide, which has far-reaching consequences for exploits in the United States and abroad (Dove, 2015).

Photoshop will play an increasingly larger role in the future as 3D print-ing grows in popularity. Adobe has added new 3D features to Photoshop and the future can only promise more. The newest version of Photoshop includes


3D mesh simplification for processing and performance improvements, 3D bump maps for adding texture, and the ability to edit 3D color, which has been a problem due to incompatibility with vertex colors, which are contained in most 3D scans (Millsaps, 2015). Vertex colors, or “vcolor,” are RGB colors with an added alpha channel that can be applied to every vertex of a mesh. “Nerseus” explains on the IMVU 3D Social Network forum:

With vertex colors, you can “paint” on your model, and it will influence the colors put on by the texture map. You could, for example, put one texture on two walls but have each get different shadows. Or you could model a lamp in the corner of your room and have it put “light” on the wall. (Nerseus, 2011)

Photoshop is an essential tool for investigators to use in analyzing photo-graphs. Even if the photos are of poor quality, a trained Photoshop user can enhance the image in numerous ways by sharpening details, reducing shad-ows, reducing blur or noise, or zooming, amongst others. Adobe software is more than just what Adobe “ships in the box.” Plug-ins extend the products and customizes them for each individual’s use. As industries increasingly use Adobe software for their purposes and hackers and criminals use the soft-ware for their criminal purposes, Adobe software will need to be examined forensically for many years. There are plug-ins available that can be added to Photoshop to increase its usefulness to forensic examiners. Existing and pre-development plug-ins are areas that will require future and sustained study. One such plug-in is ClearID. ClearID is a non-destructive plug-in and can be used to analyze stills and video. ClearID also hashes images automat-ically with a SHA-1 hash for verification. ClearID is part of the dTective suite of tools that can analyze many forms of image media (“ClearID Image Clar-ification for Adobe Photoshop,” 2015).

The “Color Deconvolution” plug-in for Photoshop is used to recover erased text, simulate infrared photography and remove stains in photo restoration cas-es. The “Warping” plug-in can change the perspective of a scene. For example, an image of a parking lot taken from the vantage point of a truck can be altered to show the vantage point from higher up, such as from a drone. The “Fourier Transform” plug-in is useful for removing periodical patterns, such as halftone screens. When applied to an image of a fingerprint, the image can be enhanced when repeated pattern distortions are removed. The “Digitization” plug-in is valuable for document analysis. For example, a copied document can be exam-ined and the Digitization plug-in can be used to create coordinates of specks on the image that can then be matched up to a suspected copier used for nefarious purposes. It can also be used to compare printer output to determine whether a suspected printer was used (“4N6site.com Forensic Photoshop Plug-ins,” n.d.).

Photoshop is a useful tool for cyberbullies. Summer Bias, writing for AOL Digital Matters explains how Photoshop can be used as a tool of cyberbullying:


Thanks to mobile texting, blogs and social networking, the spread of in-formation is so fast, easy and free that it makes the hallway gossip of yesteryear look downright archaic. Kids don’t have to wait for a story to pass from one person to another (to another) anymore. They can tell one story to a thousand people with one single click. And, instead of just whispering about who did what with whom, kids can now post photos or videos of the act—easily obtained with cell phone cameras and possibly manipulated with tools such as PhotoShop. (Bias, 2012)

Parents can use Photoshop to “shame” their own children as well. Akron, Ohio mother, Denise Abbott did just that to her 13-year-old daughter Ava, for airing her gripes on Facebook. Abbott used Photoshop to post an image of Ava with a red “X” placed over her mouth with the following text: “I do not know how to keep my (mouth shut). I am no longer allowed on Facebook or my phone. Please ask why. My mom says I have to answer everyone that asks” (Hinduja, 2012).

Criminals, forensic analysts, designers, photographers and regular people, trying to prove a point, use Photoshop. In many instances, it is obvious that

there is criminal intent, but there are also many cases, such as the Abbott case, that Photoshop is used for personal retaliation, sometimes directed at family matters. A complete study of Photoshop’s uses, from criminal intent to personal gripes, cyber-bullying, and shaming is an area worthy of additional study. Photoshop’s use can also have unintended consequences. With all

the best of intentions, sometimes the use of Photoshop can be taken too far. An all-girl’s high school yearbook photo of Reddit user “love_a_good_ood” was al-tered to a degree that the student lashed out on social media (see Figure 25). Writing on Reddit, she posted:

I have a round face that I have grown to love and now I get my photo back with a different face. The new photo no longer even looks like me but rather a prettier twin sister.” (Mastroeni, 2015)

The psychological impact of Photoshop’s results would make for an inter-esting psychological abstract. Users of Photoshop will intentionally subvert an image for criminal intent but sometimes there are unintended consequences. The impact on society by Photoshop’s results is an area that can be studied fur-ther. Photoshop is so insidious that many people do not realize how it has been used throughout history to alter reality or manipulate perception, as well as to retaliate against one’s enemies.

Adobe products are available for Windows and Apple OS and are cosnidered

Figure 25: Photoshop used to alter high school yearbook photo.


the de facto programs for creating many forms of documents and creative com-munications. However, this does not mean that the results created from these products cannot be achieved by using other programs. There are several open source programs that work almost identically to Adobe programs. Open Office and Libre Office are open source programs that can be used in almost the same way as Microsoft Office, but without the cost.

There are also open source tools are available that “mimic” Adobe products. GIMP is an open source alternative to Photoshop. Although it does not current-ly support Pantone colors and there is no formal training or certifications for GIMP users, GIMP is free. GIMP uses much less hard disk space and is compat-ible with Windows, Mac OS and Linux. GIMP can work with file formats such as JPG and PNG just as Photoshop can, but its native file extension is XCF as opposed to Photoshop’s PSD (Mikoluk, 2013).

Scribus is an open source alternative to InDesign (or QuarkXPress). It per-forms similarly to InDesign and can be used to create material much in the same way. Although not in wide use for larger projects, Scribus is an acceptable option for smaller projects, such as brochures and menus. Scribus does feature the abil-ity to export PDFs with animation and interactive features. Although users can-not import native InDesign or QuarkXPress files, Scribus does support import-ing Microsoft Publisher files. Scribus native files use SLA as the file extension, whereas InDesign uses INDD. Scribus runs on Windows, Mac OS and Linux, as well, and like GIMP, it’s free (Huang, 2013).

Knowing about and learning how to use these open source tools is important for forensic examiners and law enforcement. When faced with a hard drive full of evidence, it may be easy to overlook a file with a name such as “badguy.xcf” and not realize that this is an image file that can be easily opened with GIMP. Or, when searching for an incriminating document and overlooking “ransom-note.sla” without realizing that the suspect was using Scribus for his criminal enterprise. It is also important to use these programs to try to open files that cannot be opened otherwise, such as using Scribus to open Microsoft Publisher files. In certain circumstances, a similar program can open a file type that the “go-to” program cannot. Learning these programs will enable examiners and law enforcement to make quicker and more logical decisions when faced with unusual files. Adobe’s large number of programs produce a large number of file extensions. Many of these would be unknown to a forensic examiner and many could have been produced by discontinued programs. Adobe’s discontinued website-building program, GoLive, produces a SITE extension (“File Extension .SITE Details,” n.d.). A complete list of Adobe file extensions, for supported and unsupported, programs and their resulting file extensions should be compiled for easy reference.


References4N6site.com Forensic Photoshop Plug-ins. (n.d.). Retrieved from https://dl.

dropboxusercontent.com/u/6795661/4N6site/main.htmAdobe – PageMaker Support Center. (n.d.). Retrieved from https://www.ado-

be.com/support/products/pagemaker.htmlAdobe products | Adobe. (2015, July 4). Retrieved from http://www.adobe.

com/products/catalog.htmlAdobe Systems Inc - Early History: Warnock And Geschke. (n.d.). Retrieved

from http://ecommerce.hostip.info/pages/4/Adobe-Systems-Inc-EAR-LY-HISTORY-WARNOCK-GESCHKE.html

Anthony, S. (2013, May 13). Was the 2013 World Press Photo of the Year faked with Photoshop, or merely manipulated? Retrieved from http://www.extremetech.com/extreme/155617-how-the-2013-world-press-photo-of-the-year-was-faked-with-photoshop

Arogundade, B. (n.d.). Black History 1994: The O.J. Simpson Criminal Murder Case Trial - “Time” Cover Deliberately Darkened Mugshot. Retrieved from http://www.arogundade.com/oj-simpson-murder-tri-al-case-time-and-newsweek-magazine-cover-controversy-1994-oj-simp-son-photo-manipulation.html

Baron, C. (2008). Adobe Photoshop Forensics : Sleuths, Truths, and Fauxtog-raphy. Boston, Massachusetts: Thomson Course Technology. Retrieved from http://eds.b.ebscohost.com/ehost/ebookviewer/ebook/bmxlYmtfX-zI2MzM2M19fQU41?sid=990b8d49-9676-46b4-90ab-6e07c81f6db5@sessionmgr113&vid=0&format=EB&lpid=lp_vi&rid=0

Beeck, C., Matrosov, A., Paget, F., Peterson, E., Pradeep, A., Schmugar, C., … Wosotowsky, A. (2015). McAfee Labs Threats Report. Santa Clara, Cali-fornia: Intel Security. Retrieved from http://www.mcafee.com/us/resourc-es/reports/rp-quarterly-threat-q1-2015.pdf

Belcher, P. (2014, July 14). Glenn Beck’s The Blaze Site Serving Malicious Ads. Retrieved June 30, 2015, from http://www.invincea.com/2014/07/glenn-becks-the-blaze-site-serving-malicious-ads/

Bias, S. (2012, July 31). Cyberbullying - Cliques Who Click. Re-trieved from http://blog.lifestore.aol.com/2012/07/31/cyberbully-ing-cliques-who-click/

Brodkin, J. (2011, December 9). Chrome sandboxing makes it the most secure browser, vendor study claims. Retrievedfrom http://arstechnica.com/business/news/2011/12/chrome-sandboxing-makes-it-the-most-secure-browser-vendor-study-claims.ars

Campbell, C. (2015, May 12). 5/12/2015 - Release - Flash Player 17. Adobe Communities. Retrieved from https://forums.adobe.com/thread/1843037

.CFM File Extension. (2011, March 2). Retrieved from http://fileinfo.com/extension/cfm

ClearID Image Clarification for Adobe Photoshop. (2015, May 12). Re-


trieved from http://www.oceansystems.com/forensic/forensic-Photo-shop-Plugins/index.php

Conspiracy, D. (2011, May 31). Reply to Douglas Vogt. Retrieved from http://www.obamaconspiracy.org/2011/05/reply-to-douglas-vogt/

Cova, M., Kapravelos, A., Fratantonio, Y., Kruegel, C., & Vigna, G. (n.d.). Wepawet [Browser]. The Regents of the University of California. Retrieved from http://wepawet.iseclab.org./

Crowsey, R. (n.d.). State v Swinton Sets New Guidelines for Computerized Ev-idence (p. 1). Hattiesburg, Mississippi: Crowsey, Inc. Retrieved from http://www.crowsey.com/newsSub.php?news_id=2

Current PDF Threats. (2014, August 14). Retrieved from http://www.malware-tracker.com/pdfthreat.php

Cybersecurity complacency a leading cause of data breaches. (2014, July 31). Retrieved from http://blog.trendmicro.com/cybersecurity-complacen-cy-a-leading-cause-of-data-breaches/

Danchev, D. (2011, March 3). Report: malicious PDF files becoming the attack vector of choice. Retrieved from http://www.zdnet.com/article/report-ma-licious-pdf-files-becoming-the-attack-vector-of-choice/

Dillet, R. (2012, December 21). Adobe Acquired Portfolio Service Behance For More Than $150 Million In Cash And Stock. Retrieved from http://social.techcrunch.com/2012/12/21/adobe-acquired-portfolio-service-behance-for-more-than-150-million-in-cash-and-stock/

Discover new dimensions in digital imaging. (n.d.). Retrieved from http://www.rockymountaintraining.com/class_photoshop_forensics.php

Discover the Creative Cloud 2015 experience. (2015, July 4). Retrieved from https://creative.adobe.com/plans

Dove, J. (2015, June 16). Adobe launches its first Creative Cloud mobile apps on Android. Retrieved from http://thenextweb.com/apps/2015/06/15/adobe-launches-its-first-creative-cloud-mobile-apps-on-android/

Ducklin, P. (2013, November 4). Anatomy of a password disaster - Adobe’s giant-sized cryptographic blunder. Retrieved from https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-gi-ant-sized-cryptographic-blunder/

Du, M. (2013, November 5). Malicious PDF Analysis Evasion Techniques. Re-trieved from http://blog.trendmicro.com/trendlabs-security-intelligence/malicious-pdf-analysis-evasion-techniques/

Duncan, G. (2012, August 17). Adobe Flash for Android: Gone with barely a whimper. Retrieved from http://www.digitaltrends.com/mobile/adobe-flash-for-android-gone-with-barely-a-whimper/

Fallon, K. (2012, November 27). Fooled by “The Onion”: 9 Most Embarrassing Fails. Retrieved from http://www.thedailybeast.com/articles/2012/09/29/fooled-by-the-onion-8-most-embarrassing-fails.html

Famous Photoshopped Fakes. (n.d.). Retrieved from http://www.foxnews.com/photoessay/0,4644,6636,00.html/#/photoessay/image/0220091154_M_


fakes_tourist_guy-jpgFarid, H. (2011, August 10). Image Authentication and Forensics | Fourandsix

Technologies - Blog - Enhance – no, really. Retrieved from http://www.fourandsix.com/blog/2011/8/10/enhance-no-really.html

FotoForensics. (n.d.). Hacker Factor. Retrieved from http://fotoforensics.com/

Gafford, R. (1958). The Operational Potential of Subliminal Perception. Re-trieved from https://www.cia.gov/library/center-for-the-study-of-intelli-gence/kent-csi/vol2no2/pdf/v02i2a07p.pdf

Gallagher, S. (2013, April 16). ColdFusion hack used to steal hosting provider’s customer data. Retrieved from http://arstechnica.com/security/2013/04/coldfusion-hack-used-to-steal-hosting-providers-customer-data/

Gaza Burial, by Paul Hansen. (n.d.). Retrieved from http://www.worldpress-photo.org/collection/photo/2013/spot-news/paul-hansen

Girard, D. (2014, January 14). How QuarkXPress became a mere afterthought in publishing. Retrieved from http://arstechnica.com/information-tech-nology/2014/01/quarkxpress-the-demise-of-a-design-desk-darling/

Gitelman, L. (2014). Paper Knowledge: Toward a Media History of Docu-ments. Duke University Press.

Goodin, D. (2015, February 4). As Flash 0day exploits reach new level of meanness, what are users to do? Retrieved from http://arstechnica.com/security/2015/02/as-flash-0day-exploits-reach-new-level-of-meanness-what-are-users-to-do/

Greenberg, A. (2009, December 12). The Year’s Most-Hacked Software. Retrieved June 1, 2015, from http://www.forbes.com/2009/12/10/ado-be-hackers-microsoft-technology-cio-network-software.html

Guthrie, C., & Mitchell, B. (2007, September 26). THE SWINTON SIX: THE IMPACT OF STATE v. SWINTON ON THE AUTHENTICA-TION OF DIGITAL IMAGES. Stetson Law Review. Retrieved from http://www.stetson.edu/law/lawreview/media/the-swinton-six-the-im-pact-of-state-v-swinton-on-the-authentication-of-digital-images.pdf

Harley, R. (n.d.). James Vicary: Experiment & Overview. Retrieved from http://study.com/academy/lesson/james-vicary-experiment-lesson-quiz.html

Harshbarger, W. (2008, August 8). Fraudulent CNN emails contain links to Trojan. Retrieved from http://www.purdue.edu/SecurePurdue/news/2008/Fraudulent-CNN-emails-contain-links-to-Trojan.cfm

Hasidic Newspaper Photoshops Hillary Clinton Out Of Iconic Picture. (2011, May 9). Retrieved from http://www.huffingtonpost.com/2011/05/09/hil-lary-clinton-der-tzitung-removed-situation-room_n_859254.html

Haugech. (2015, April 29). Forensic Scientist III/Quality Assurance Special-ist–Latent Print Examiner Saint Paul Police Department Forensic Services Unit Position Profile. City of St. Paul, Minnesota. Retrieved from http://www.stpaul.gov/DocumentCenter/View/78532


Higgins, K. (2013, October 7). Hacking The Adobe Breach. Retrieved from http://www.darkreading.com/attacks-breaches/hacking-the-adobe-breach/240162362

Hinduja, S. (2012, May 1). Cyberbullying Your Own Kids to Punish Them. Retrieved from http://cyberbullying.us/cyberbullying-your-own-kids-to-punish-them/

Hoerricks, J. (2008). Forensic Photoshop. Jim Hoerricks. Retrieved from http://www.blurb.com/b/196812-forensic-photoshop

Hoffman, C. (2014, January 8). Why Browser Plug-Ins Are Going Away and What’s Replacing Them. Retrieved from http://www.howtogeek.com/179213/why-browser-plug-ins-are-going-away-and-whats-replacing-them/

Hughes, D. (n.d.). Adobe ColdFusion for the Web Developer. Retrieved from http://www.htmlgoodies.com/primers/database/article.php/3756161/Adobe-ColdFusion-for-the-Web-Developer.htm

Jackson, V. (2013, December 13). Mysterious Death Related to Obama’s Fake Birth Certificate. Retrieved from http://victoriajackson.com/10252/mys-terious-death-related-obamas-fake-birth-certificate

Key, W. (1974). Subliminal Seduction. Signet.Koetsier, J. (2014, March 25). Adobe turns marketing cloud up to 11 with

massive update, SAP deal, new mobile tools. Retrieved from http://ven-turebeat.com/2014/03/25/adobe-turns-marketing-cloud-up-to-11-with-massive-update-sap-deal-new-mobile-tools/

Koetsier, J. (2015, January 28). How Adobe is embedding its marketing cloud into thousands of mobile apps—and soon more. Retrieved from http://venturebeat.com/2015/01/28/how-adobe-is-embedding-its-marketing-cloud-into-thousands-of-mobile-apps-and-soon-more/

Kosner, A. (2014, October 9). Adobe Launches Free Mobile Apps As Gateway To Creative Professions. Retrieved from http://www.forbes.com/sites/an-thonykosner/2014/10/09/adobe-launches-free-mobile-apps-as-gateway-to-creative-professions/

Krawetz, N. (2009, November 2). Body By Victoria. Retrieved from http://www.hackerfactor.com/blog/index.php?/archives/322-Body-By-Victoria.html

Krebs, B. (2013, October 29). Adobe Breach Impacted At Least 38 Mil-lion Users—Krebs on Security. Retrieved from http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/

Krebs, B. (2014a, March 4). Thieves Jam Up Smucker’s, Card Processor. Re-trieved from http://krebsonsecurity.com/2014/03/thieves-jam-up-smuck-ers-card-processor/

Krebs, B. (2014b, March 17). The Long Tail of ColdFusion Fail. Retrieved from http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/

Krebs, B. (2015, March 12). Adobe Flash Player — Krebs on Security. Re-trieved from http://krebsonsecurity.com/tag/adobe-flash-player/


Leurs, L. (2013, August 9). The History of PDF. Retrieved from http://www.prepressure.com/pdf/basics/history

Levin, A. (2014, February 13). Why the Adobe Hack Scares Me—And Why It Should Scare You. Retrieved from http://www.huffingtonpost.com/ad-am-levin/why-the-adobe-hack-scares_b_4277064.html

Lightstream. (2008, August 7). VIRUS WARNING—CNN top ten news sto-ries serving up a trojan. Retrieved from http://freedomcrowsnest.wizard-ofthenorth.ca/viewtopic.php?f=1&t=73461

List of Adobe software. (2015, April 12). In Wikipedia, the free encyclopedia. Retrieved from https://en.wikipedia.org/w/index.php?title=List_of_Ado-be_software&oldid=656098746

Macharyas, J. (2015, March 8). Forensics of Adobe Software. Retrieved from http://www.macharyas.com/2015/03/forensics-of-adobe-software/

Madrigal, A. C. (2012, April 3). Flash and the PDF: Computing’s Last Great and Now Endangered Monopolies. The Atlantic. Retrieved from http://www.theatlantic.com/technology/archive/2012/04/flash-and-the-pdf-computings-last-great-and-now-endangered-monopolies/255403/

Mostreni, T. (2015, January 12). Student Fires Back After Yearbook Compa-ny Completely Alters Her Face With Photoshop. Retrieved from http://www.pixable.com/article/yearbook-company-high-school-photo-shop-70805/?utm_medium=partner&utm_source=facebook&utm_cam-paign=pixsesocial&ts_pid=2

McGladrey LLP. (2011). A New PDF Standard (Case Study) (p. 4). Minneap-olis, Minnesota. Retrieved from http://www.adobe.com/showcase/case-studies/mcgladreydyn/casestudy.pdf

Meyer, G., & Massoudi, A. (2012, July 13). Wasendorf suicide note details fraud. Financial Times. Retrieved from http://www.ft.com/cms/s/0/a4e46d74-cd16-11e1-92c1-00144feabdc0.html#axzz3dtpOyisl

M, I. (2010, July). The Evolution of Adobe Flash: From 1996 to 2010. Re-trieved from http://www.pxleyes.com/blog/2010/07/evolution-of-flash-from-1996-to-2010/

Millsaps, B. (2015, April 17). Photoshop CC: Adobe Announces 3D Enhance-ments & Tools, Exemplified by 3D Printed Artworks of Veraart & Stewart. Retrieved from http://3dprint.com/59018/photoshop-3d-enhancements/

Mimiso, M. (2015, June 9). Adobe Patches 13 Vulnerabilities in Flash Player. Retrieved from https://threatpost.com/adobe-patches-13-vulnerabili-ties-in-flash-player/113222

Minnick, C., & Tittel, E. (2014, April 30). How Adobe Is Moving on From Flash to Embrace HTML5. Retrieved from http://www.cio.com/arti-cle/2376661/internet/how-adobe-is-moving-on-from-flash-to-embrace-html5.html

Morra, S. (2013). Confirming the Integrity and Utility of Open Source Foren-sic Tools (UMI Number: 1549835) (pp. 32–33). Utica, New York: Utica College. Retrieved from http://search.proquest.com.ezproxy.utica.edu/


pqdtlocal1008803/docview/1491381111/B0656A957BC345CAPQ/1?ac-countid=28902

Morrissey, M. (2011, October 24). Metadata: A Backdoor Into Multi-State Information Sharing & Analysis Center. Retrieved from https://msisac.cisecurity.org/resources/reports/documents/metadataadvisory.pdf

Nerseus. (2011, February 6). IMVU—View topic—What is Vertex Colors and should I use it? Retrieved from http://www.imvu.com/catalog/modules.php?op=modload&name=phpbb2&file=viewtopic.php&t=363860

New Survey Shows U.S. Small Business Owners Not Concerned About Cyber-security; Majority Have No Policies or Contingency Plans. (2012, October 15). Retrieved from http://www.symantec.com/about/news/release/arti-cle.jsp?prid=20121015_01

O’Gorman, G., & McDonald, G. (2012). The Elderwood Project. Mountain View, California. Retrieved from https://www.info-point-security.com/sites/default/files/the-elderwood-project.pdf

Omansky, J. (2015). Adobe Flash: Zero Day Vulnerabilities. Retrieved from https://youtu.be/N3_kBqTIc7M

Özkan, S. (n.d.). Microsoft » Word: Vulnerability Statistics. Retrieved from http://www.cvedetails.com/product/529/Microsoft-Word.html?vendor_id=26

Özkan, S. (2015, May 13). Adobe » Flash Player : Security Vulnerabilities. Re-trieved from http://www.cvedetails.com/cve/CVE-2015-3093/

Photo Forensics: Detect Photoshop Manipulation with Error Level Analysis. (2013, October 25). Retrieved from http://resources.infosecinstitute.com/error-level-analysis-detect-image-manipulation/

Pierini, D. (2015, February 25). Day in the Life mastermind on 25 years of Adobe Photoshop. Retrieved from http://www.cultofmac.com/313469/day-life-series-mastermind-reflects-25-years-photoshop/

Perhiniak, M. (2012, April 11). How Do I Use Photoshop and InDesign Togeth-er?—Tuts+ Design & Illustration Tutorial. Retrieved from http://design.tutsplus.com/tutorials/how-do-i-use-photoshop-and-indesign-together--psd-16039

Poulsen, B. (2012, July 31). Being Amused by Apophenia. Retrieved from http://www.psychologytoday.com/blog/reality-play/201207/be-ing-amused-apophenia

Powell, B. (2011, December 21). Rep. Posey’s Interview With “Proud Birther” Victoria Jackson. Retrieved from http://politicalcorrection.org/blog/201112210008

Rick. (2014, May 14). The Rise of Programmatic and the Death of Flash. Re-trieved from http://current360.com/play/rise-programmatic-death-flash/

Saletan, W. (2010, May 24). The Ministry of Truth. Slate. Retrieved from http://www.slate.com/articles/health_and_science/the_memory_doc-tor/2010/05/the_ministry_of_truth.html

Scan a paper document to PDF. (n.d.). Retrieved from http://help.adobe.com/


en_US/acrobat/X/standard/using/WS58a04a822e3e50102bd615109794195ff-7f71.w.html

Schonfeld, E. (2010, February 2). Adobe CTO Kevin Lynch Defends Flash, Warns HTML5 Will Throw The Web “Back To The Dark Ages Of Video.” Retrieved from http://social.techcrunch.com/2010/02/02/adobe-cto-kev-in-lynch-defends-flash/

Security Updates Available for Adobe Flash Player. (2015, June 23). Adobe Systems, Incorporated. Retrieved from https://helpx.adobe.com/security/products/flash-player/apsb15-14.html

Segura, J. (2013, February 4). Digital certificates and malware: a dangerous mix. Retrievedfrom https://blog.malwarebytes.org/intelligence/2013/02/digital-certificates-and-malware-a-dangerous-mix/

Shankland, S. (2012, May 11). Adobe launches Creative Cloud subscription service. Retrieved from http://www.cnet.com/news/adobe-launches-cre-ative-cloud-subscription-service/

Shaw, R. (2013, November 20). Analyzing Malicious PDFs. Retrieved from http://resources.infosecinstitute.com/analyzing-malicious-pdf/

“SNL”s Victoria Jackson falls to incumbents. (2014, August 7). Retrieved from http://www.tennessean.com/story/news/politics/2014/08/07/snls-victo-ria-jackson-falls-incumbents/13755741/

Soltani, A., Canty, S., Mayo, Q., Thomas, L., & Hoofnagle, C. (2009). Flash Cookies and Privacy (p. 8). Berkeley, California: Universi-ty of California, Berkeley. Retrieved from http://ssrn.stanford.edu/delivery.php?=72811912606606706406912406600309502202504500401802805912600312610112012411200911608610102011110204505104408510006809909409111205308704702106-18001021103105005074064023079083010125117078000105069&EX-T=pdf&TYPE=2

StephenJ798. (2013, October 8). re: Hacking The Adobe Breach. Information-Week Dark Reading. Comment. Retrieved from http://www.darkreading.com/attacks-breaches/hacking-the-adobe-breach/d/d-id/1140620?

Stofer, M. (2015). Unlock PDF [Online]. Berlin, Germany: IM Material. Re-trieved from http://smallpdf.com/unlock-pdf

Story, D. (2000, February 18). From Darkroom to Desktop—How Photoshop Came to Light. Retrieved from http://www.storyphoto.com/multimedia/multimedia_photoshop.html

Swanson, A. (n.d.). Company Names as Verbs or Proprietary Eponyms: Do You Use These Brand Terms? Retrieved from http://www.qualitylogoprod-ucts.com/blog/company-names-as-verbs-brand-terms/

SWF Player. (2014). (Version 2.0.0) [Android 2.2 and up]. BIT LABS LLC. Re-trieved from https://play.google.com/store/apps/details?id=air.br.com.bitlabs.SWFPlayer&hl=en

SWF to iPhone - How to Play Flash SWF on iPhone 5. (n.d.). Retrieved from http://www.jihosoft.com/flash-tutorials/swf-to-iphone.html


Tam, K. (2011, August 11). Photoshop Won’t Let You Work with Imag-es of Currency? Retrieved from https://fstoppers.com/news/photo-shop-wont-let-you-work-images-currency-7291

TinEye Reverse Image Search. (2015, July 3). Retrieved from https://www.tin-eye.com/

Trautman, E. (2014, April 19). RIP Flash: Why HTML5 Will Finally Take Over Video and Web in 2014. Retrieved May 25, 2015, from http://thenextweb.com/dd/2014/04/19/rip-flash-html5-will-take-video-web-year/

Trends. (n.d.). Retrieved from http://httparchive.org/trends.php?s=Top1000&minlabel=Jan+20+2011&maxlabel=May+15+2015

UTICA.EDU Technology Profiler on. (2015, June 28). Retrieved from http://builtwith.com/utica.edu

Van den Bergh, L. (2013, May 17). Adobe & Law Enforcement: Meet Sr. Solu-tions Architect John Penn II | PHOTOSHOP.COM BLOG. Retrieved from http://blogs.adobe.com/photoshopdotcom/2013/05/celebrating-law-enforcement-week-with-adobes-john-penn-ii.html

Veronica Blas Dahir. (n.d.). Retrieved from http://www.unr.edu/re-search-and-innovation/researcher-resources/veronica-dahir

Vogt, D. (2011, May 22). News Release: Expanded Analysis of Obama’s Cer-tificate of Live Birth - May 22, 2011. Retrieved from https://www.scribd.com/doc/55642721/News-Release-Legal-proof-that-President-Obama-s-Certificate-of-Live-Birth-is-a-forgery

Wheeler, C. (2008, July 23). InDesign Forensics: What Your Editor Knows about You. Retrieved from http://www.deke.com/content/indesign-fo-rensics-what-your-editor-knows-about-you

Yegulalp, S. (2014, February 7). Adobe Flash: Insecure, outdated, and here to stay. Retrieved from http://www.infoworld.com/article/2610420/ado-be-flash/adobe-flash--insecure--outdated--and-here-to-stay.html

Zhang, M. (2015, May 14). Real or Photoshop: How Well Can You Spot Fake Photos? Retrieved from http://petapixel.com/2015/05/14/real-or-photo-shop-how-well-can-you-spot-fake-photos/

Zuckerman, E. (2013, January 29). Review: OpenPuff steganography tool hides confidential data in plain sight. Retrieved from http://www.pcworld.com/article/2026357/review-openpuff-steganography-tool-hides-confiden-tial-data-in-plain-sight.html


• Adobe Access• Acrobat Pro DC• Acrobat Reader DC• Acrobat Standard DC• After Effects CC• AIR• Analytics• Adobe Anywhere• Audition CC• Adobe Auditude• Authorware• Behance • Bridge• Campaign• Adobe Captivate• Adobe Connect• Central Pro Output

Server• ColdFusion• ColdFusion

Enterprise Edition• ColdFusion Builder• Color Lava• Content Server• Contribute• CS Live• Creative Cloud• Creative Cloud for Enterprise• Creative Cloud for

teams• Creative Portfolio• Creative Suite• Digital Editions• Digital Publishing

Solution• Director• Distiller Server• Adobe Document Cloud• Adobe Document

Cloud for enterprise• Dreamweaver CC• Drive

• Eazel• Edge Animate CC• Edge Code CC

(Preview)• Edge Inspect CC• Edge Reflow CC

(Preview)• Edge Web Fonts• eLearning Suite• Encore• Experience Manager• Export PDF• Adobe Extension Builder• Fireworks• Flash Builder• Flash Media Live

Encoder• Flash Media

Playback• Flash Player• Flash Professional CC• Flash Video

Streaming Services• Flex• Fonts• Font Folio• FrameMaker• FrameMaker

Publishing Server• FrameMaker XML

Author• HTTP Dynamic

Streaming• Ideas• Illustrator CC• InCopy CC• InDesign CC• InDesign Server• Ink & Slide• JRun• Kuler• Adobe LeanPrint• Lightroom

• Lightroom mobile• Line• LiveCycle Enterprise

Suite• Adobe Marketing

Cloud• Media Encoder CC• Media Optimizer• Adobe Media Server

on Amazon Web Services

• Adobe Media Server Extended

• Adobe Media Server Professional

• Adobe Media Server Standard

• Adobe Muse CC• Nav • OnLocation• Output Designer• Output Pak for

mySAP.com• Ovation• PageMaker• Pass• Adobe PDF Pack• Adobe PDF Print

Engine• PhoneGap Build• Photoshop CC• Photoshop Elements• Photoshop Elements

& Adobe Premiere Elements

• Photoshop Mix• Photoshop.com• Adobe Playpanel• Adobe PostScript• Prelude CC• Adobe Premiere

Elements• Adobe Premiere

Express

• Adobe Premiere Pro CC

• Presenter• Publish• Revel• RoboHelp• RoboHelp Server• Adobe Scout CC• SearchCenter+• Send & Track• Send for Signature• Shockwave Player• Sketch• Social• Soundbooth• SpeedGrade• Adobe Story Free• Adobe Story Plus• Target• Technical

Communication Suite

• Typekit• Type products• Voice• Web Fonts• Adobe Web Hosting• Web Output Pak

Appendices

Adobe publishes a large number of programs and systems and has discon-tinued many others (“Discontinued products,” 2015). These lists illustrate the large body of tools that exploits can be introduced into, tools that can

be used for forensic purposes and tools that can be used for benign and malicious intent (“Adobe products | Adobe,” 2015).

Appendix A: Current/Supported Adobe products


Appendix B: Discontinued/Unsupported Adobe products

PageMaker is erroneously listed in the supported programs, however, sup-port for PageMaker was discontinued on August 1, 2011. It also appears in the unsup-ported program list, which is correct (“Adobe - PageMaker Support Center,” n.d.)

\• Acrobat Elements• Acrobat Elements

Server• Acrobat Messenger• Adobe Acrobat Basic• Adobe Form

Manager• Adobe Ideas for

Android• Adobe Media

Gateway• Adobe OnLocation• Adobe Stock Photos• Adobe Type Set• ATM Deluxe• Authorware• Collage

• CS Live services• CS Review• Creative Mark• Debut• Design Collection• Dimensions• Dreamweaver Server

Extension• DS Community

Edition• DV Rack • Flash Paper• Fontographer• FreeHand• GoLive• Graphics Server• Homesite Tool

• InContext Editing• Kuler for Android• NetAverages • Ovation• PageMaker• PDF Scan• PhotoDeluxe• Photoshop Album• Adobe Premiere LE• PressReady• Production Studio

Premium• Production Studio

Standard• Proto• Rapid e-Learning Collection

• RoboInfo• RoboPDF• Secure Content

Servers• Soundbooth• Streamline• Studio• Type on Call• Ultra• Video Collection Pro• Video Collection

Standard• Vlog It!• Visual

Communicator

Colophon

This book was reproduced from a Capstone Project on The Malicious and Forensic Uses of Adobe Software, by Jeffrey P. Macharyas, for the Masters of Science Program in Cybersecurity and Computer Foren-

sics at Utica College, Utica, New York.This report adheres to the American Psychological Association

(APA) styles and was originally composed in Microsoft Word 2011, with Times New Roman, 12 point, double-spaced. This edition was created us-ing Adobe InDesign CC 2015 for page layout, Adobe Photoshop CC 2015 for image production and Adobe Acrobat DC for the final PDF document. All work was performed on a 13” Apple MacBook Pro, late 2011 model, with operating system version 10.10.3 Yosemite. References and citations were compiled using the Zotero plug-in for Mozilla Firefox, version 40.0 (beta channel) and resources were searched for using Google.

This edition was typeset using Chronicle Display, 11 point, with a leading of 13. Every attempt has been made to provide credit for all sources used in the production of this report.


About Jeffrey P. Macharyas

EDUCATION

Utica College | Master of Science in Cybersecuri-ty—Specialization in Computer Forensics | 2015

Rutgers University | Mini-MBA Graduate Certificate—Social Media Marketing | 2012

Florida State University | Bachelor of Science in Communications and Visual Arts— Specialization in Advertising | 1983

COMPUTER FORENSICS PROJECTS/RESEARCH

• Capstone Master’s Thesis: The Malicious and Forensic Uses of Adobe Software

• Open Source Intelligence: Collected data to develop profile of the subject using online and personal interview sources

• Cyberbullying: A unique look at the cyberbul-lying “industry.” To be included as part of an upcoming encyclopedia

• Linux Forensic Tools: Various projects involving installing and operating computer forensic tools on Linux systems via the use of VMware and Virtual Box, to operate in a secure environment

• Peer Mentor: Worked with Utica College Cyber-security online students to understand course material and procedures via phone, Skype and Google Hangouts. Recommended to be selected as a teacher’s assistant at Utica College

• Graphics: Redesigned The Moose, a style guide for APA-style compliance to be used by Utica College

PROFESSIONAL PROFILE

Forensic Software: FTK, Wireshark, Internet Evidence Finder, PRTK, RegEdit, BlessDesign Software: Adobe Creative Cloud: InDesign, Photoshop, Illustrator, Dreamweaver, Acrobat Pro, Edge AnimateOperating Systems: Apple OSX: Yosemite,

Windows: XP-8.1, Linux: Ubuntu, Security Onion, VMware: 6-7Online Operations: HTML, CSS, Google Ana-lytics, Twitter Analytics, WordPressMiscellaneous Programs: Microsoft Office: Word, Excel, PowerPoint. Open Source: Scribus, Inkscape, GIMP. FTP, CRMCertifications: AccessData Certified Examiner, HubSpot Inbound Marketing, FEMA: Social Media, Nat’l. Infrastructure, Dale Carnegie Institute, Notary Public

PROFESSIONAL EXPERIENCE

Production Manager/DesignerOutdoor Sportsman Group2013 – presentStuart, Florida

Ensure that Florida Sportsman magazine, one of Outdoor Sportsman Group’s 15 titles, is produced correctly and on time. Manage advertising and production for 13 issues per year, as well as media kits, websites, print and web ads. Design and write interactive media kits and forms, advertisements, trade show material and book illustrations. Trou-bleshoot technical issues.

Introduced an innovative “flipbook” concept for newsstand customers, requiring careful plan-ning and diligent coordination with in-house staff and vendors to ensure all necessary specs and production protocols were met.

Website design and developer for the Florida Fish & Wildlife Foundation (floridafishingcampaign.com).

Creative Director/WriterContractor2003-2014Remote

Worked for a diverse set of clientele to produce publications, websites, books, ads, logos, and other marketing material. Applied knowledge of working in different media to produce proper files and maintain schedules and budgets. Selected projects:• Designer for safeHands Hand Sanitizer.

Designed packaging, bottles, social media and


website elements. 2012-2014.• Writer/Art Director for The Pineapple Post

newspaper, designed, wrote, researched and edited monthly community newspaper for Ocala and Jensen Beach, Florida. 2012-2014.

• Art Director for The American Spectator Designed and produced monthly magazine. Redesigned the publication. Designed annual reports, prototype issues, direct mail and books. 2003-2007 & 2012-2014.

• Telephone pole designer for AT&T, field assessments and AutoCAD engineering drawings. Best Quality Award. 2012-2013.

• First Art Director for the USO’s OnPatrol magazine, a start-up publication for America’s armed service members and families. Designed brochures, one-sheets, books, challenge coins, and other marketing material. 2009-2012.

Creative Director/WriterToday’s Campus magazine2007 – 2010West Palm Beach, Florida

The Greentree Gazette was the magazine for college business offices. Improved the design and production of the publication and forged a closer relationship with the vendors. To better reflect the audience, re-branded the magazine to Today’s Campus. Designed the logo and redesigned the magazine to give it a more professional appearance. A second publication, Student Loan Buying Guide, was added in 2008. Designed and produced approximately 200 pages per month.• Initiated and managed the company’s subscrip-

tion qualification and renewal program, using coverwraps, that generated qualified subscrip-tions for the first time

• Wrote and produced e-newsletters, email blasts and analyzed results, wrote articles for todayscampus.com

• Managed printers, editors, writers, and freelanc-ers—reduced cost and improved turnaround time

Production ManagerSelling Power magazine1997 – 2006Fredericksburg, Virginia

Selling Power magazine, a publication for sales

professionals, grew from 72 pages per issue to more than 200. Managed the production, distribution and audio content of Selling Power Live—an audio version of the magazine, with circulation of 50,000. Transitioned the product from cassette to CD and created innovated CD inserts for inclusion in the magazine to bolster subscriptions.• Converted file delivery from PostScript to PDF

workflow, decreasing turnaround time and improving quality control

• Conducted press, bindery and shipping checks at printing facilities for press runs of 260,000+ each month

• Discovered savings in mailing and shipping and developed innovative mailing and packaging methods by analyzing USPS regulations and meeting with postal officials

• Designed and analyzed subscription renewal efforts

• Single-handedly created a reprints depart-ment—earning the company $60,000+ the first year

• Audio Publisher’s Association’s Best New Audio for Selling Power Live—1998

NON-PROFIT/VOLUNTEER

• Designer/Seminar Speaker | Treasure Coast YMCA | Stuart, Florida | 2011-2015

• Website Designer/Charter Member | Treasure Coast Fencing Academy | Port St. Lucie, Florida | 2008-

• Website Designer/Treasurer/Scout Leader/Secretary/Unit Founder | Boy Scouts of America | Orange, Virginia & Port St. Lucie, Florida | 2000-2013

• Website Designer/Board Member | Little League Baseball | Port St. Lucie, Florida | 2009-2010

• Designer/Communications Committee Member | Lake of the Woods Association | Locust Grove, Virginia | 2005-2007

• Website Designer/Teacher’s Helper | Orange Schools | Orange, Virginia | 2004-2007 | Volunteer of the Year-2006

[email protected] | www.Macharyas.comPronounced: muh-sha’-riss


Do I think Photoshop is being used

excessively? Yes. I saw Madonna’s

Louis Vuitton ad and honestly,

at first glance, I thought it was

Gwen Stefani’s baby.

I find, the fancier the fashion magazine is,

the worse the Photoshop. It’s as if they

are already so disgusted that a human

has to be in the clothes, they can’t stop

erasing human features.

t i n a f e y

MALICIOUS AND

FORENSIC USES OF

ADOBE SOFTWARE

THE

B Y J E F F R E Y P. M A C H A R YA S

This research examines how certain Adobe programs and files are manipulated for deceptive practices. The most common programs and file types examined are Flash, Photoshop, PDFs and ColdFusion. This research also includes examination of some lesser known, but popular, programs, such as InDesign. The research addresses the following problems and situations:

• How are Adobe programs, primarily Flash, Photoshop, PDFs and ColdFusion used for forensics and criminal purposes?

• What methods are used to manipulate files for the purposes of misleading people or altering perceptions?

• What are some of the forensic signs of evidentiary tampering and how can authorities use this information to identify threats?

A Capstone Project Submitted to the Faculty of

Utica College • Utica, New Yorkwww.utica.edu

August 2015

in Partial Fulfillment of the Requirements for the Degree ofMaster of Science in Cybersecurity

The Malicious and Forensic Uses of Adobe Software

Software

Transcript of The Malicious and Forensic Uses of Adobe Software