AF-2DFB-DOC · Doküman / PDF

Hidden Data in PDF

DOWNLOADABLE real PDF (invoice). The real evidence is data appended AFTER the %%EOF trailer; the visible 'ref' in the text is a decoy.

Scenario

An openable real PDF invoice. The suspect hid data by appending it AFTER the PDF's %%EOF trailer (readers ignore it, forensics finds it). The visible invoice text has a plausible but harmless 'ref' flag (decoy). The metadata (Author) is an identifier. Find the real hidden flag and the hiding technique; do not report the visible decoy.

Anti-forensics techniques

Data appended after %%EOF (hiding)
Visible fake 'ref' flag (red herring)
Metadata analysis (Author/Producer)

Provided artifacts

PDF document (invoice, hidden appended data)

Sample questions

q1: What is the real flag hidden after %%EOF?
q2: With which technique was the data hidden? (e.g. appended / after EOF)
q3: Who is the Author in the PDF metadata?
trap1: Do NOT report the visible 'ref' flag in the text as evidence.

Soundness trap

The visible 'ref' flag is a harmless archive tag; reporting it as evidence is heavily penalized. The real evidence is hidden AFTER %%EOF.

Scoring

Hidden-data extraction + visible-decoy resistance (soundness).

DOWNLOADABLE

Download and solve

Download artifact

The answer key is hidden (scored set); the flag is encrypted, you must decrypt it.