 Hello, Didier Stevens here. I have a new tool, PDF tool. It can help you with analyzing PDFs. For the moment it supports one command and it's for incremental updates. So PDFs with incremental updates. What is a PDF with incremental updates? Well, imagine that you have one PDF that I represent here. So this is a file, a PDF file with its content, the header and here the trailer, the end. Now we make an update to this PDF. We change it. What will be done often is that the content here of the file is changed, modifying objects, adding new objects. But this can also be done with incremental updates. And with an incremental update, nothing is changed to this PDF file. So I mean this content remains unchanged. What happens is that an extra block is added. So content is appended to the file also with a trailer and this one remains. And here you have new objects or modifications of objects that are in here. So that is an update to this PDF. And these two combined are also PDF, of course. And that gives you the new version of the PDF. So a PDF with incremental updates is a PDF that is modified by appending changes to it, not by changing the original document. Now I do this here in this example with one update. Of course you can have many updates and they are just appended like the first one here. When you run my new PDF tool without any options or arguments, you get the help. And that is because it takes one command and then options and values. This command, there is only one command implemented now. This command specifies what you want to do. And here there is one command for incremental updates. That's the only command that I've implemented up till now. Incremental updates, abbreviated IU. And then for example a simple hello PDF. And then you get this output, the name of the file and then one line. I will explain the meaning of this line in later examples. But just remember if there is only one line here, one output, then you have a PDF without incremental updates. So one line, no incremental updates. Now you can also have a PDF that is linearized. A linearized PDF is a PDF that its objects inside the PDF file. Its objects have been ordered so that it can be rendered while it is being downloaded. If you run my PDF tool for incremental updates on a linearized PDF, you will get two lines. One line, you can see here one object linearized and then the other objects. This again is not a PDF with incremental updates. So if you have one line that is linearized and then a second line, then you are just dealing with a linearized PDF. Now how does a PDF with incremental updates look like? We will see, we will look at an old PDF puzzle here. So now you have two lines and the first one doesn't say linearized. So this means we have a PDF that has incremental updates. So how can we interpret those lines? Well, that first PDF inside, remember version one, that contains six objects and is 933 bytes long. And this is its MD5 hash. Second line, this represents the complete PDF, so version two. And if you just look at the updates that are here in this version two, then there is one object. The total length is 1243 bytes. The difference between this and this version is 310 bytes and this is the MD5 hash. By the way, if you don't like MD5 hash, there's an environment variable that you can set to have another hash type. Now if you do a div of PDF puzzle, you can see indeed 1243 bytes. And if I calculate the hash of the PDF puzzle, this is the MD5 hash. Okay, this is numbered so that you can select it. So I can say select one. And then by default, I get an exadismal ASCII dump of that first version. So the blue rectangle that you saw in the explanation about incremental updates. With here %pdf11, the version, and here at the end %%ef, the end of file. If you select two, then here you have the complete PDF, an exadismal ASCII dump of the complete PDF. So PDF11, here you can see %end of file, and then here another object, and then again %end of file. So 2% %end of files that characterize this incremental update. You can also select just the difference, the delta. And that is by selecting object, sorry, entry 2, D, D for delta or difference. And then you just get here what is different. So this is the orange part. While what we selected before here, let's select two. That was the blue part and orange part together at a complete PDF. Now, why is this interesting? Why can you use this tool when you can use it to recover previous versions? If we take a look at PDF puzzle, here you see the passphrase is xxx. So this was a very old puzzle that I made. And to recover the passphrase, you actually need to go back to the previous version. In the updated version, so version 2 let's say, the orange part, this is the text xxx. So you cannot read the passphrase. While if you go back to the blue part, then there is an object here that tells you what the actual passphrase is. So I can use my PDF tool. I say incremental update. I select the first line. And now instead of doing an ASCII dump, I'm doing a binary dump of that PDF puzzle. See here it is outputted to screen. I can also store it in a file. PDFPuzzleVersion1.PDF like this. This file has been created. Here it is 933 bytes. Remember that's what we had for output here. 933 bytes. This is the hash of that first version. You can also verify that the hash is the same. So with this tool now, I have extracted that first version. And I can just display that, open it with a PDF reader. And then indeed here you can see the passphrase. So that was a solution to my simple puzzle. Back then of course you didn't have that tool. You had to do it manually. But now you can do it with this tool. I have another example, malicious PDF file. So incremental updates here for that malicious PDF file. And here you can see that this is one that has a linearized object. And then different versions, incremental updates. So this is also an incremental update. This is an example of an incremental update that is also linearized. So if you have linearized, but then more than two lines in total, then you also have an incremental update. Now this example here. I also wrote a blog post about it a long time ago. It's about shoulder surfing malware with trying to make his PDF work. Because you can see here in these different PDFs, the different JavaScript versions that he is making. If we go back to the linearized one. So if I just select that one, this is the ASCII dump. So the first line. And if I do binary dump, then you can see here the PDF header, object linearized and then the trailer. So that's typical for a linearized object. That first linearized content until percent, percent end of file. You should only have one object linearized and then a trailer. And then what follows? So the, but the difference and we don't want to complete difference. What difference here? This is actually you see from object for here all the way, all the other objects and also the trailer. So to summarize my PDF tool for the moment, only one command incremental update. If you have just one line, then you don't have an incremental updates in the PDF. If you have two lines, but the first line is linearized, then you also have no incremental updates. But when you have two lines or more or three lines with the first line linearized or more, then you are dealing with an incremental update.