1 00:00:01,020 --> 00:00:02,550 Hello and welcome back. 2 00:00:02,970 --> 00:00:13,550 In this video, we are going to take a look at video analysis tools when we are analyzing PDAF documents, 3 00:00:14,010 --> 00:00:25,020 what we are looking for, suspicious keywords, for example, or action or the abbreviated a JavaScript 4 00:00:25,350 --> 00:00:27,270 or the abbreviation. 5 00:00:27,320 --> 00:00:39,240 Yes, we can also look for encoded data and we can also use YAARA to scan for patterns we have in the 6 00:00:39,240 --> 00:00:39,900 database. 7 00:00:39,900 --> 00:00:50,340 For Yaara, a useful tool to use for first preliminary investigation is a PDF. 8 00:00:50,340 --> 00:00:52,680 I'd be it. 9 00:00:52,680 --> 00:00:59,500 I'd identify the PDF object types as well as you got any filters in the file. 10 00:01:00,330 --> 00:01:03,900 It is useful for triaging PDF documents. 11 00:01:04,470 --> 00:01:12,330 Triaging here means preliminary scan where we try to identify whether the file is suspicious before 12 00:01:12,330 --> 00:01:15,210 embarking into a more detailed analysis. 13 00:01:16,080 --> 00:01:19,530 The two can be found in this site here as listed here. 14 00:01:20,760 --> 00:01:30,670 One disadvantage, or providea is that it only tells you what is in the document and not where it is. 15 00:01:31,800 --> 00:01:41,550 So this too is not completing the PDI parser, but it was kind of fun to look for certain keywords, 16 00:01:41,880 --> 00:01:51,090 allowing you to identify PDAF documents that contain, for example, JavaScript or execute an action 17 00:01:51,270 --> 00:01:55,580 and open PDAF also handle the obfuscation. 18 00:01:56,310 --> 00:02:06,840 The idea is to use this to first to try PDF documents and then analyze suspicious ones with the PDF 19 00:02:06,840 --> 00:02:07,560 parser. 20 00:02:12,030 --> 00:02:22,940 Bereft parser we use in the second stage of the analysis, after having used PDF, I'd first bedecked 21 00:02:22,950 --> 00:02:30,120 bus passes, searcher's and a stress data from PDF documents. 22 00:02:30,510 --> 00:02:39,570 It is also altered by the same creator Deedes Stevens in this website is the same author who created 23 00:02:39,570 --> 00:02:40,590 video ID. 24 00:02:42,680 --> 00:02:52,300 Some of the command line options that we can use, we believe Parsa is as followed by the term. 25 00:02:53,330 --> 00:03:02,790 So if we search for the term Daesh or for ENVIRON No, we will cause it to search for the object. 26 00:03:02,960 --> 00:03:03,620 No. 27 00:03:04,910 --> 00:03:14,150 That often will decode the object, that absorption will display the results output in raw form, it 28 00:03:15,020 --> 00:03:24,050 so believed it allows you to extract all the objects which are obfuscated and like PIDF Heidi. 29 00:03:26,720 --> 00:03:33,410 This is the website where you can download the PDF, ID as well as PDF passa. 30 00:03:34,600 --> 00:03:44,350 The screenshot here shows a page from this website, it is called PDF Tu's, so this particular output 31 00:03:44,350 --> 00:03:49,480 is the output for PDF, Buzzer Beater Password and HP. 32 00:03:49,490 --> 00:03:51,640 Why is a Python script? 33 00:03:52,340 --> 00:03:57,970 And these are some of the common options that are available when you are writing the script. 34 00:04:00,460 --> 00:04:10,330 Another useful tool which can do both what Idee and PDAF parser do is call a PDF. 35 00:04:11,380 --> 00:04:15,400 PDF combines multiple tools into one. 36 00:04:16,180 --> 00:04:24,700 You can find suspicious objects, decode data and as well as identify JavaScript. 37 00:04:26,290 --> 00:04:28,900 And this can be downloaded from this website. 38 00:04:29,830 --> 00:04:39,070 Some of the command line options that are available is Dashi, which is to run in Limor and Deshu, 39 00:04:39,100 --> 00:04:44,690 which is to update the program when it starts the eye in line. 40 00:04:44,720 --> 00:04:52,460 What is useful if you wanted to decode certain objects that you have found who are doing a full scan? 41 00:04:53,110 --> 00:05:01,960 So these are tools that will be looking at in the particular session that is coming up in the next few 42 00:05:02,110 --> 00:05:02,810 videos. 43 00:05:03,400 --> 00:05:06,260 So this brings us to the end of this video. 44 00:05:07,030 --> 00:05:08,470 Thank you for watching.