CSIS Tech Blog

CSIS RESEARCH - Acrobat Reader Connector Icons

Written by Dénes Olivér Óvári | Apr 4, 2024 1:43:52 PM
Acrobat Reader Connector Icons
Leveraging Acrobat Reader’s thumbnail cache during DFIR

Dénes Olivér Óvári, Detection and Response Architect
CSIS Security Group A/S

At the beginning of 2015, Adobe rolled out a set of integrated services called Document Cloud in order to streamline the way their users work with digital documents. A key element of the Document Cloud offering was the newest version of Adobe’s PDF solution — Adobe Acrobat DC —, which introduced a revamped, more intuitive user interface among other features.

A part of the new UI was a list of the recently opened documents on the application’s “Home” tab, including thumbnail images for each file, serving as visual cues to simplify navigation.

This post looks into the implementation of this particular feature and the artifacts it leaves behind — the latter could be immensely useful during Digital Forensics and Incident Response assignments.

Three “Connector Icons” in Adobe Acrobat Reader

Overview

When a previously unseen document is opened, Acrobat Reader:

  • saves a thumbnail of its first page to an image file,
  • creates a registry entry containing the path and the last modified time of the document, plus a reference to the thumbnail image’s name,

with a few exceptions mentioned below.

Internally, the feature itself seems to be called “cloud connector”, and the thumbnails are referred to as “connector icons”.

The “connector icon-cache” may grow quite large. Often there is metadata on several dozens or even hundreds of documents opened previously on the workstation.

Thumbnails

The thumbnails are stored under the user’s AppData/LocalLow folder:

BMP thumbnails in the LocalLow folder

This location is intended to be the location where “low integrity” applications could store data specific to the actual computer.

A couple of “Connector Icons” on Windows, original size

The thumbnails themselves are relatively small BMP files: their longer edge was always shorter than 200px in the cases I’ve seen.

Registry Keys

The registry entries contain:

  • the path of the PDF file,
  • the name of the thumbnail file, and
  • the PDF file’s modification timestamp.

Apparently the documents are only identified by their name, as the application keeps using the existing thumbnail even if the PDF file was replaced with another one on the hard drive.

Protected PDF Documents

PDF documents could be secured with two types of passwords:

  • The document open password — just like its its name implies — requires the user to enter a password to open the document.
  • The permissions, or master password protects the permission settings (copying, editing, printing). The user can open the document — unless an open password is set too.

The behaviour of the Connector Icons feature is in line with these principles above when it deals with protected PDF documents. Acrobat does not generate a Connector Icon cache entry if either the author of the PDF file set a “document open” password, or copying the contents of the file is prohibited by other document security settings.

The “Clear recent” feature

“Clear recent” in the bottom right corner

Pruning the whole icon-cache takes only two clicks — the clickable “Clear recent” label appears at the bottom right of the Home tab. Once the user confirms their choice, all recent file entries immediately disappear from the interface. However, the registry entries and the BMP files are in fact only removed when the application quits.

Forensic Artifacts on Windows

Hard Drive

BMP files located in:

C:\Users\%USERNAME%\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\

The filenames consist of the following elements concatenated with a minus sign:

  • the icon string,
  • UTC date and time — its format-string would look like %y%m%d%H%M%SZ, and
  • an arbitrary integer.

For example: icon-231203135022Z-146.bmp

Registry

Entries under the following keys:

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVConnector\cIconCache\c*

The entry under HKCU

Containing:

  • sFileKey: the filename,
  • slastModifiedHeader: the file’s last modification time — a UNIX timestamp,
  • surlKey: the normalised path of the file.

For example:

sFileKey icon-231203135022Z-146.bmp
slastModifiedHeader 1681225925
surlKey /C/Users/%USERNAME%/Desktop/readme.pdf

On Android, too!

The Android version of Acrobat Reader creates and uses thumbnails for the same purpose. These are cached in an SQLite database located in the app-specific storage provided by the Android OS, such as:

/data/data/com.adobe.reader/databases/com.adobe.reader.filebrowser.ARThumbnailDatabase

The thumbnails are stored as Base64-encoded PNG images in a table called ARThumbnailTable, identified by the path of the PDF file they represent.

These thumbnails are somewhat larger compared to those generated by the Windows version — the images in the database shown above were all padded to 241x341px by the application.

Wrapping Up

The Connector Icon cache’s metadata provides DFIR investigators with additional indicators of activity related to PDF documents:

  • A thumbnail image of the document’s first page is kept in the AppData folder, and
  • the path and last modification time of the PDF file is kept in a registry entry.

    These two entries are linked by the thumbnail image’s filename.
  • Adobe Acrobat Reader (Android) 24.1.0.30990
  • Adobe Acrobat Reader (Windows) 23.6.20380.0

“Adobe, Document Cloud, the Adobe logo, Acrobat are either registered trademarks or trademarks of Adobe in the United States and/or other countries.”

“Android is a trademark of Google LLC.”

“Microsoft, Windows are trademarks of the Microsoft group of companies.”

Originally published on the author's blog.