Open in app

Sign in

Write

Sign in

Acrobat Reader Connector Icons

Dénes Olivér Óvári
5 min readMar 5, 2024

--

Leveraging Acrobat Reader’s thumbnail cache during DFIR

Hundreds of thumbnails of PDF files previously opened in Acrobat Reader may remain on Windows workstations and Android™ phones, with additional metadata on a number of the more recent entries.

At the beginning of 2015, Adobe rolled out a set of integrated services called Document Cloud in order to streamline the way their users work with digital documents. A key element of the Document Cloud offering was the newest version of Adobe’s PDF solution — Adobe Acrobat DC —, which introduced a revamped, more intuitive user interface among other features.

A part of the new UI was a list of the recently opened documents on the application’s “Home” 🏠 tab, including thumbnail images for each file, serving as visual cues to simplify navigation.

This post looks into the implementation of this particular feature and the artifacts it leaves behind — from a digital forensic aspect.

Three “Connector Icons” in Adobe Acrobat Reader

Overview

When a previously unseen document is opened, Acrobat Reader:

  • saves a thumbnail of its first page to an image file,
  • creates a registry entry containing the path and the last modified time of the document, plus a reference to the thumbnail image’s name,

with a few exceptions mentioned below.

Internally, the feature itself seems to be called “cloud connector”, and the thumbnails are referred to as “connector icons”.

The “connector icon-cache” may grow quite large. Often there is metadata on several dozens or even hundreds of documents opened previously on the workstation.

Thumbnails

The thumbnails are stored under the user’s AppData/LocalLow folder:

BMP thumbnails in the LocalLow folder

This location is intended to be the location where “low integrity” applications could store data specific to the actual computer.

A couple of “Connector Icons” on Windows — original size

The thumbnails themselves are relatively small BMP files: their longer edge was always shorter than 200px in the cases I’ve seen.

Registry Keys

The registry entries contain:

  • the path of the PDF file,
  • the name of the thumbnail file, and
  • the PDF file’s modification timestamp.

Apparently the documents are only identified by their name, as the application keeps using the existing thumbnail even if the PDF file was replaced with another one on the hard drive.

Protected PDF Documents 🔑

PDF documents could be secured with two types of passwords:

  • The document open password — just like its its name implies — requires the user to enter a password to open the document.
  • The permissions, or master password protects the permission settings (copying, editing, printing). The user can open the document — unless an open password is set too.

The behaviour of the Connector Icons feature is in line with these principles above when it deals with protected PDF documents. Acrobat does not generate a Connector Icon cache entry if either the author of the PDF file set a “document open” password, or copying the contents of the file is prohibited by other document security settings.

The “Clear recent” feature

“Clear recent” in the bottom right corner

Pruning the whole icon-cache takes only two clicks — the clickable “Clear recent” label appears at the bottom right of the Home tab. Once the user confirms their choice, all recent file entries immediately disappear from the interface. However, the registry entries and the BMP files are in fact only removed when the application quits.

Forensic Artifacts on Windows 🕵🏽

Hard Drive 🖴

BMP files located in:

C:\Users\%USERNAME%\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\

The filenames consist of the following elements concatenated with a minus sign:

  • the icon string,
  • UTC date and time — its format-string would look like %y%m%d%H%M%SZ,
  • and an arbitrary integer.

For example: icon-231203135022Z-146.bmp

Registry

Entries under the following keys:

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVConnector\cIconCache\c*
The entry under HKCU

Containing:

  • sFileKey: the filename,
  • slastModifiedHeader: the file’s last modification time — a UNIX timestamp,
  • surlKey: the normalised path of the file.

For example:

sFileKey: icon-231203135022Z-146.bmp
slastModifiedHeader: 1681225925
surlKey: /C/Users/%USERNAME%/Desktop/readme.pdf

On Android, too! 📱

The Android version of Acrobat Reader creates and uses thumbnails for the same purpose. These are cached in an SQLite database located in the app-specific storage provided by the Android OS, such as:

/data/data/com.adobe.reader/databases/com.adobe.reader.filebrowser.ARThumbnailDatabase

The thumbnails are stored as Base64-encoded PNG images in a table called ARThumbnailTable, identified by the path of the PDF file they represent.

These thumbnails are somewhat larger compared to those generated by the Windows version — the images in the database shown above were all padded to 241x341px by the application.

Wrapping Up & Image Similarity?

The Connector Icon cache’s metadata provides DFIR investigators with additional indicators of activity related to PDF documents:

  • A thumbnail image of the document’s first page is kept in the AppData folder, and
  • the path and last modification time of the PDF file is kept in a registry entry.

These two entries are linked by the thumbnail image’s filename.

In real-life cases, it can easily happen that only this kind of PDF-file metadata is available to the forensic analyst. Granted, usually the size of the thumbnail image is way too small to prove anything. However, if we are able to collect all those PDF files which the specific thumbnail could be related to, it might make sense to try an approach involving image similarity.

We just need to create our own thumbnails of the PDF files at hand using ImageMagick for instance, then read up on image hashing. (Note that anything involving deep learning is not what this task requires.)

Ultimately it should only take a few dozen lines of code to find which documents look similar to the one our snapshot was originally taken of.

  • Adobe Acrobat Reader (Android) 24.1.0.30990
  • Adobe Acrobat Reader (Windows) 23.6.20380.0.

“Adobe, Document Cloud, the Adobe logo, Acrobat are either registered trademarks or trademarks of Adobe in the United States and/or other countries.”

“Android is a trademark of Google LLC.”

“Microsoft, Windows are trademarks of the Microsoft group of companies.”

Dfir
Windows
Digital Forensics
Adobe Acrobat
Android

--

--

Dénes Olivér Óvári

Written by Dénes Olivér Óvári

19 Followers

Random posts revolving around detection engineering, DFIR, malware analysis, OSINT, retrocomputing. And related stuff.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams