1
00:00:01,020 --> 00:00:02,550
Hello and welcome back.

2
00:00:02,970 --> 00:00:13,550
In this video, we are going to take a look at video analysis tools when we are analyzing PDAF documents,

3
00:00:14,010 --> 00:00:25,020
what we are looking for, suspicious keywords, for example, or action or the abbreviated a JavaScript

4
00:00:25,350 --> 00:00:27,270
or the abbreviation.

5
00:00:27,320 --> 00:00:39,240
Yes, we can also look for encoded data and we can also use YAARA to scan for patterns we have in the

6
00:00:39,240 --> 00:00:39,900
database.

7
00:00:39,900 --> 00:00:50,340
For Yaara, a useful tool to use for first preliminary investigation is a PDF.

8
00:00:50,340 --> 00:00:52,680
I'd be it.

9
00:00:52,680 --> 00:00:59,500
I'd identify the PDF object types as well as you got any filters in the file.

10
00:01:00,330 --> 00:01:03,900
It is useful for triaging PDF documents.

11
00:01:04,470 --> 00:01:12,330
Triaging here means preliminary scan where we try to identify whether the file is suspicious before

12
00:01:12,330 --> 00:01:15,210
embarking into a more detailed analysis.

13
00:01:16,080 --> 00:01:19,530
The two can be found in this site here as listed here.

14
00:01:20,760 --> 00:01:30,670
One disadvantage, or providea is that it only tells you what is in the document and not where it is.

15
00:01:31,800 --> 00:01:41,550
So this too is not completing the PDI parser, but it was kind of fun to look for certain keywords,

16
00:01:41,880 --> 00:01:51,090
allowing you to identify PDAF documents that contain, for example, JavaScript or execute an action

17
00:01:51,270 --> 00:01:55,580
and open PDAF also handle the obfuscation.

18
00:01:56,310 --> 00:02:06,840
The idea is to use this to first to try PDF documents and then analyze suspicious ones with the PDF

19
00:02:06,840 --> 00:02:07,560
parser.

20
00:02:12,030 --> 00:02:22,940
Bereft parser we use in the second stage of the analysis, after having used PDF, I'd first bedecked

21
00:02:22,950 --> 00:02:30,120
bus passes, searcher's and a stress data from PDF documents.

22
00:02:30,510 --> 00:02:39,570
It is also altered by the same creator Deedes Stevens in this website is the same author who created

23
00:02:39,570 --> 00:02:40,590
video ID.

24
00:02:42,680 --> 00:02:52,300
Some of the command line options that we can use, we believe Parsa is as followed by the term.

25
00:02:53,330 --> 00:03:02,790
So if we search for the term Daesh or for ENVIRON No, we will cause it to search for the object.

26
00:03:02,960 --> 00:03:03,620
No.

27
00:03:04,910 --> 00:03:14,150
That often will decode the object, that absorption will display the results output in raw form, it

28
00:03:15,020 --> 00:03:24,050
so believed it allows you to extract all the objects which are obfuscated and like PIDF Heidi.

29
00:03:26,720 --> 00:03:33,410
This is the website where you can download the PDF, ID as well as PDF passa.

30
00:03:34,600 --> 00:03:44,350
The screenshot here shows a page from this website, it is called PDF Tu's, so this particular output

31
00:03:44,350 --> 00:03:49,480
is the output for PDF, Buzzer Beater Password and HP.

32
00:03:49,490 --> 00:03:51,640
Why is a Python script?

33
00:03:52,340 --> 00:03:57,970
And these are some of the common options that are available when you are writing the script.

34
00:04:00,460 --> 00:04:10,330
Another useful tool which can do both what Idee and PDAF parser do is call a PDF.

35
00:04:11,380 --> 00:04:15,400
PDF combines multiple tools into one.

36
00:04:16,180 --> 00:04:24,700
You can find suspicious objects, decode data and as well as identify JavaScript.

37
00:04:26,290 --> 00:04:28,900
And this can be downloaded from this website.

38
00:04:29,830 --> 00:04:39,070
Some of the command line options that are available is Dashi, which is to run in Limor and Deshu,

39
00:04:39,100 --> 00:04:44,690
which is to update the program when it starts the eye in line.

40
00:04:44,720 --> 00:04:52,460
What is useful if you wanted to decode certain objects that you have found who are doing a full scan?

41
00:04:53,110 --> 00:05:01,960
So these are tools that will be looking at in the particular session that is coming up in the next few

42
00:05:02,110 --> 00:05:02,810
videos.

43
00:05:03,400 --> 00:05:06,260
So this brings us to the end of this video.

44
00:05:07,030 --> 00:05:08,470
Thank you for watching.