Computer Hacking Forensic Investigator (CHFI v10) — Question 418

A Computer Hacking Forensic Investigator (CHFI) is trying to identify a hidden data leak happening through seemingly benign PDF documents sent from a corporate network. While examining a suspicious PDF, he discovers a series of unexpected objects in the file’s body. Given the following hex signatures of various file formats: JPEG (0xffd8), BMP (0x424d), GIF (0x474946), and PNG (0x89504e), which of the following actions should he take next?

Answer options

• A. Search for the existence of the hex signature 0x89504e in the PDF's body as a PNC could be embedded
• B. Check for the existence of the hex signature 0xffd8 in the PDF's body as a JPEG could be hidden
• C. Examine the cross-reference table (xref table) for any unusual links to objects
• D. Verify if the PDF document ends with the %EOF value

Correct answer: B

Explanation

The correct answer is B because if a JPEG is hidden within the PDF, it would contain the corresponding hex signature 0xffd8. Options A, C, and D may provide useful information but do not directly target the investigation of hidden JPEG files within the PDF, which is the primary concern in this scenario.