'#1748 Creates customized carver class to carve PDFs with multiple

footer tags (one for each pdf edit/revision).
sepinf-inc · Sep 6, 2023 · 4c5052d · 4c5052d
1 parent f6eae92
commit 4c5052d
Show file tree

Hide file tree

Showing 2 changed files with 128 additions and 3 deletions.
diff --git a/iped-app/resources/config/conf/CarverConfig.xml b/iped-app/resources/config/conf/CarverConfig.xml
@@ -188,13 +188,15 @@
         </carverType>
 
         <carverType>
-            <!-- May be improved: if a PDF is edited, changes are appended to the end of file and a new footer is added, so it should also accumulate footers for PDFs -->
-            <name>PDF</name>
+            <name>PDF2</name>
+            <carverClass>iped.carvers.custom.PDFCarver</carverClass>
             <signatures>
                 <headerSignature>%PDF-</headerSignature>
+                <controlSignature>xref</controlSignature>
+                <controlSignature>startxref</controlSignature>
                 <footerSignature>%%EOF?</footerSignature>
             </signatures>
-            <minLength>1000</minLength>            
+            <minLength>1000</minLength>
             <maxLength>50000000</maxLength>
             <mediaType>application/pdf</mediaType>
         </carverType>

diff --git a/iped-carvers/iped-carvers-impl/src/main/java/iped/carvers/custom/PDFCarver.java b/iped-carvers/iped-carvers-impl/src/main/java/iped/carvers/custom/PDFCarver.java
@@ -0,0 +1,123 @@
+package iped.carvers.custom;
+
+import java.io.IOException;
+import java.util.ArrayDeque;
+
+import iped.carvers.api.Hit;
+import iped.carvers.standard.DefaultCarver;
+import iped.data.IItem;
+import iped.io.SeekableInputStream;
+import iped.utils.IOUtil;
+
+public class PDFCarver extends DefaultCarver {
+    Hit lastFooter = null;
+    private Hit lastXREF;
+    private long lastXREFOffset = -1;
+    boolean lastHitWasStartXRef = false;
+
+    @Override
+    public void notifyHit(IItem parentEvidence, Hit hit) throws IOException {
+        ArrayDeque<Hit> headersWaitingFooters = super.headersWaitingFooters;
+        if (hit.getSignature().isHeader()) {
+            // if previously occured a footer hit and a new header hit is found, carve from
+            // last footer
+            if (lastFooter != null) {
+                carveFromLastFooter(parentEvidence);
+            }
+            headersWaitingFooters.addLast(hit);
+        }
+
+        if (hit.getSignature().isFooter()) {
+            if (lastXREF == null) {
+                // footer without corresponding crossref => invalid PDF
+                resetState();
+            } else {
+                Hit lastHead = headersWaitingFooters.peekLast();
+                if (lastHead != null) {
+                    if (lastXREF.getOffset() - lastHead.getOffset() == lastXREFOffset) { // checks consistency of
+                                                                                         // crossref offset information
+                                                                                         // against header offset
+                        lastFooter = hit;
+                    } else {
+                        // probably invalid footer as crossref offset info is inconsistent
+                        resetState();
+                    }
+                } else {
+                    // try to carve incomplete PDF?
+                }
+            }
+        }
+
+        if (isXrefHit(hit) && !lastHitWasStartXRef) {
+            lastXREF = hit;
+        }
+
+        if (isStartXrefHit(hit)) {
+            lastXREFOffset = readXREFOffset(parentEvidence, hit);
+            lastHitWasStartXRef = true;
+        } else {
+            lastHitWasStartXRef = false;
+        }
+
+        clearOldHeaders(parentEvidence);
+    }
+
+    private void resetState() {
+        lastXREF = null;
+        lastXREFOffset = -1;
+    }
+
+    private boolean isStartXrefHit(Hit hit) {
+        return hit.getSignature().getSigString().equals("startxref");
+    }
+
+    private long readXREFOffset(IItem parentEvidence, Hit hit) {
+        SeekableInputStream is = null;
+        try {
+            is = parentEvidence.getSeekableInputStream();
+            long offset = 0;
+            is.seek(hit.getOffset() + 10);
+            int i = 0, off = 0;
+            i = is.read();
+            while (i != -1 && i >= 48 && i <= 57) {
+                offset = offset * 10 + (i - 48);
+                i = is.read();
+            }
+
+            return offset;
+
+        } catch (Exception e) {
+            e.printStackTrace();
+
+        } finally {
+            IOUtil.closeQuietly(is);
+        }
+
+        return -1;
+    }
+
+    private boolean isXrefHit(Hit hit) {
+        return hit.getSignature().getSigString().equals("xref");
+    }
+
+    private void carveFromLastFooter(IItem parentEvidence) throws IOException {
+        Hit head, firstHead = null;
+        while ((head = headersWaitingFooters.peekLast()) != null
+                && lastFooter.getOffset() - head.getOffset() <= head.getSignature().getCarverType().getMaxLength()) {
+            firstHead = headersWaitingFooters.pollLast();
+        }
+        if (firstHead != null) {
+            headersWaitingFooters.addLast(firstHead);
+            carveFromFooter(parentEvidence, lastFooter);
+        }
+        lastFooter = null;
+    }
+
+    public void notifyEnd(IItem parentEvidence) throws IOException {
+        if (lastFooter != null) {
+            carveFromLastFooter(parentEvidence);
+        }
+        super.notifyEnd(parentEvidence);
+    }
+
+}