Forensics: Adobe Acrobat Reader ConnectorIcons

ConnectorIcons: File Opening Forensic Artefact for Adobe Acrobat Reader

Whilst investigating the root-cause of a Qakbot infection this week, I stumbled upon an unfamiliar (to me at least) and undocumented file opening forensic artefact for Adobe Acrobat Reader. It was so useful to my investigation, I thought I'd share my findings with the wider DFIR community. Note that the research below only applies to PDF files which are opened with Adobe Acrobat Reader and that "ConnectorIcons" will not be created for PDFs opened in web browsers.

What's a ConnectorIcon?

When you open PDFs with Reader, the software creates a thumbnail image of the first page of the document to populate the Recent items list. These images are known as "ConnectorIcons". 

The bitmap images themselves can be found under the the directory:

C:\Users\%Username%\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons

Each ConnectorIcon bitmap (.bmp) file contains the UTC date and timestamp they were created in its name in the format: YYMMDDHHMMSS. See below for an example filename:

icon-230426180225Z-7243.bmp

Why is it useful?

Use case: In my Qakbot investigation, with this artefact alone I was able to determine that a since-deleted PDF was opened, the time it was opened, the user account it was opened using, and what the PDF looked like (like a phish!).


Limitations

Unfortunately for analysts, if a user clicks the "Clear Recent" button within Reader, the ConnectorIcon files are removed :(

Published 26 April 2023