Forensics: Adobe Acrobat Reader ConnectorIcons
ConnectorIcons: File Opening Forensic Artefact for Adobe Acrobat Reader
Whilst investigating the root-cause of a Qakbot infection this week, I stumbled upon an unfamiliar (to me at least) and undocumented file opening forensic artefact for Adobe Acrobat Reader. It was so useful to my investigation, I thought I'd share my findings with the wider DFIR community. Note that the research below only applies to PDF files which are opened with Adobe Acrobat Reader and that "ConnectorIcons" will not be created for PDFs opened in web browsers.
What's a ConnectorIcon?
When you open PDFs with Reader, the software creates a thumbnail image of the first page of the document to populate the Recent items list. These images are known as "ConnectorIcons".
The bitmap images themselves can be found under the the directory:
C:\Users\%Username%\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons
Each ConnectorIcon bitmap (.bmp) file contains the UTC date and timestamp they were created in its name in the format: YYMMDDHHMMSS. See below for an example filename:
icon-230426180225Z-7243.bmp
Why is it useful?
ConnectorIcons are only created when a PDF is opened in Reader, so it can be considered a high confidence artefact of file opening.
ConnectorIcons are created in the user space of the file opening user, which is again useful as the file opening can be attributed to a specific account.
The creation time of ConnectorIcons files on disk corresponds to the time that the PDF was first opened in Reader, which provides investigators with a timestamp of file opening activity.
ConnectorIcons remain on disk even after the PDFs themselves have been deleted.
ConnectorIcons are image files! So investigators can see what a file looked like when it was opened by the user.
Use case: In my Qakbot investigation, with this artefact alone I was able to determine that a since-deleted PDF was opened, the time it was opened, the user account it was opened using, and what the PDF looked like (like a phish!).
Limitations
Unfortunately for analysts, if a user clicks the "Clear Recent" button within Reader, the ConnectorIcon files are removed :(
Published 26 April 2023