Blog >> Adobe Acrobat Reader

Investigating Adobe Acrobat Reader

17/08/2021 Tuesday

Adobe Acrobat Reader is part of Adobe family. It is a cross-platform application which enables the user to view, comment, sign, print, share, collect and track feedback of PDF files for free. The software offers a variety of other features such as creating, editing, and exporting PDF files; however, it requires the user to purchase a subscription.


Digital Forensics Value of Adobe Acrobat Reader Artifacts


Adobe Acrobat Reader is widely used by the general public as it has become an essential part in handling and interacting with PDF files. Adobe Acrobat Reader artifacts provide examiners with detailed information about the recently accessed files, the location of these files, and which files have been favorited by the user. Additionally, they enable the examiners to review information related to the logged in local user. Being able to track the history of files accessed using Adobe Acrobat Reader and other details can be critical during the digital forensic analysis process.


Location of Adobe Acrobat Reader Artifacts


Adobe Acrobat Reader artifacts are located in the NTUSER.dat registry hive at the following locations:

NTUSER.DAT\Software\Adobe\Acrobat Reader\DC\AVGeneral\
NTUSER.DAT\Software\Adobe\Acrobat Reader\DC\SessionManagement
NTUSER.DAT\Software\Adobe\Acrobat Reader\DC\ShareIdentity


Structure of Adobe Acrobat Reader Artifacts


Adobe Acrobat Reader artifacts are stored in NTUSER.DAT registry hive. The registry hive format is a binary file with a group of keys, subkeys, and values. Acrobat Reader key contains multiple subkeys that store information such as recently accessed files, the location of these files, and much more.


Analyzing Adobe Acrobat Reader Artifacts with ArtiFast Windows


This section will discuss how to use ArtiFast Windows to analyze Adobe Acrobat Reader artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Adobe Acrobat Reader artifacts:




ArtiFast can analyze Adobe Acrobat Recent Files, Recent Locations, General Info, Favorite Files, and User Information. For demonstration purposes, all the artifacts have been chosen, however, you have the option to select one or more artifacts.



Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Adobe Acrobat artifact in ArtiFast software.


Adobe Acrobat Favorite Files Artifact

This artifact contains information related to the files that have been favorited by the user. The details you can view include:


Adobe Acrobat General Info Artifact

This artifact contains general information about the software on a Windows device. The details you can view include:


Adobe Acrobat Recent Files Artifact

This artifact contains information about the recently opened files. The details you can view include:


Adobe Acrobat Recent Locations Artifact

This artifact contains information about recent locations. The details you can view include:


Adobe Acrobat User Information Artifact

This artifact contains information about the logged in local user. The details you can view include: