New information extracted from Snowden PDFs through metadata version analysis

It's hilarious the extent to which Adobe Systems's ridiculously futile attempt to chase MS Word features ended up being the single most productive espionage tool of the last quarter century.

New OSINT skill unlocked

Microsoft Word once had a "Fast Save" feature which did this. It's hard to find much information about it these days. Supposedly it was removed in Office 2003 SP3: https://www.betaarchive.com/wiki/index.php?title=Microsoft_K....

> The "print and scan physical papers back to a PDF of images" technique for final release is looking better and better from an information protection perspective.

Note that all (edit: color-/ink-) printers have "invisible to the human eye" yellow dotcodes, which contain their serial number, and in some cases even the public IP address when they've already connected to the internet (looking at you, HP and Canon).

So I'd be careful to use a printer of any kind if you're not in control of the printer's firmware.

There's lots of tools that started to decode the information hidden in dotcodes, in case you're interested [1] [2] [3]

[1] https://github.com/Natounet/YellowDotDecode

[2] https://github.com/mcandre/dotsecrets

[3] (when I first found out about it in 2007) https://fahrplan.events.ccc.de/camp/2007/Fahrplan/events/197...

a better approach is to convert them to jpeg/png. Then convert that to raw BMP, and then share or print that.

A more modern approach for text documents would be to have an LLM read and rephrase, and restructure everything without preserving punctuation and spacing, using a simple encoding like utf-8, and then use the technique above or just take analog pictures of the monitor. The analog (film) part protects against deepfakes and serves as proof if you need it (for the source and final product alike).

There various solutions out there after the leaks that keep happening where documents and confidential information is served/staged in a way that will reveal the person with who it is shared. Even if you copy paste the text into notepad and save it in ascii format, it will reveal you. Off-the-shelf printers are of course a big no-no.

If all else fails, that analog picture technique works best for exfil, but the final thing you share will still track back to you. I bet spies are back to using microfilms these days.

I only say all of that purely out of a fascination into the subject and for the sake of discussion (think like a thief if you want to catch one and all). Ultimately, you shouldn't share private information with unauthorized parties, period. Personal or otherwise. If you, like snowden, feel that all lawful means are exhausted and that is your only option to address some grievance, then don't assume any technique or planning will protect you, if it isn't worth the risk of imprisonment, then you shouldn't be doing it anyways. Assume you will be imprisoned or worse.

I suppose I'd just save the pdf to tiff/png then remake back into a pdf from there to avoid printing and scanning?

if really paranoid, I suppose one could run a filter on the image files to make them a bit fuzzy/noisy

Why not just make screenshoot of every PDF page?

Is there a multifunction B&W printer which prints and then automatically positions the paper on the scanner and scans?

That'd be fun to make Section 508 compliant at mass scale.

Take a look at the REMNux reverse engineering page for PDF documents (https://docs.remnux.org/discover-the-tools/analyze+documents...). Lots of tools here for looking at malicious PDFs that can be used to inspect/understand even non-malicious documents.

In what contest do you use that tool? Looks like that page is primarily about editing pdfs using that format rather than inspecting.

Very tempting to fool around with the ideas especially after the Epstein pdf debacle.

Thank you. The most recent completely new information from the Snowden files is found in Jacob Appelbaum's 2022 thesis[1], in which he revealed information that had not been previously public (not found on any previously published documents and so on). And AFAIK, the most recent new information from the published documents (along with this post) might actually be in our other posts[2], but there might be some others we aren't aware of.

[1]: https://www.electrospaces.net/2023/09/some-new-snippets-from...

[2]: Part 2: https://libroot.org/posts/going-through-snowden-documents-pa...

and part 3: https://libroot.org/posts/going-through-snowden-documents-pa...

Why are the journalists redacting the docs? That's incredibly puzzling.

Is there something in here so damaging that they refuse to publish it?

Did the government tell them they'd be in trouble if they published it?

Are the journalists the only ones with access to the raw files?

You can replace objects in PDF documents. A PDF is mostly just a bunch of objects of different types so the readers know what to do with them. Each object has a numbered ID. I recommend mutool for decompressing the PDF so you can read it in a text editor:

    mutool clean -d in.pdf out.pdf

If you look below you can see a Pages list (1 0 obj) that references (2 0 R) a Page (2 0 obj).

    1 0 obj
    <<
      /Type /Pages
      /Count 1
      /Kids [ 2 0 R ]
    >>
    endobj

    2 0 obj
    <<
      /Type /Page
      /Contents 5 0 R
      ...
    >>
    endobj

Rather than editing the PDFs in place, it's possible to update these objects to overwrite them by appending a new "generation" of an object. Notice the 0 has been incremented to a 1 here. This allows leaving the original PDF intact while making edits.

    1 1 obj
    <<
      /Type /Pages
      /Count 2
      /Kids [ 2 0 R 200 0 R ]
    >>
    endobj

You can have anything inside a PDF that you want really and it could be orphaned so a PDF reader never picks up on it. There's nothing to say an object needs to be referenced (oh, there's a "trailer" at the end of the PDF that says where the Root node is, so they know where to start).

At the bottom of the page there's a link to the pdfresurrect package, whose description says

"The PDF format allows for previous changes to be retained in a revised version of the document, thereby keeping a running history of revisions to the document.

This tool extracts all previous revisions while also producing a summary of changes between revisions."

PDFs are just a table of objects and tree of references to those objects; probably, prior versions of the document were expressed in objects with no references or something like that.

I think it's likely someone already discovered this. It's just that info is not broadcasted to people who want to comment on this thread.

I wonder if it’s because of all the attention on the Epstein PDF files.

Anyone tried this?

Yes, the journalists did the redactions. The metadata timestamps in one of the documents show that the versions were created three weeks before the publication.

And to be honest, the journalists generally have done a great work on pretty much in all the other published PDFs. We've went through hundreds and hundreds of the published documents, and these two documents were pretty much the only ones which had metadata leak by a mistake revealing something significant (there are other documents as well with metadata leaks/failed redactions, but nothing huge). Our next part will be a technical deep-dive on PDF forensic/metadata analysis we've done.

Are you asking how much was done with pen and paper, and how much of it was done on a computer, i.e. machine assisted? Where do you draw the line? How is "hands-on" in contrast to anything? Is it only "hands-on" when you don't use any tool to assist you?

I suspect you're inquiring about the use of LLMs, and about that I wonder: Why does it matter? Why are you asking?

That itself would be a very convenient lie if the disclosures were damaging or embarrassing.

Maybe you should include a source, especially if you're making claims about alleged "disinformation"? :-)