I am currently attempting to recover PDF files using computer forensic software and have some questions regarding the PDF specification. In order to successfully recover any file, I need to identify the file header and file footer and then extract the data in between these two addresses. I can successfully identify the PDF header (%PDF-1.x where x is an integer); however, the footer, or trailer as Adobe's specification refers to it, isn't as definitive. While I can identify the trailer as %%EOF, there can be numerous trailers interspersed throughout the PDF file. Since I am using this trailer signature to identify the true end of file, is there anything that distinguishes this signature from the preceding EOFs? In other words, is there a difference between the actual PDF End Of File (EOF) marker and the EOF marker used to separate updates? Thanks in advance!
-Joel
-Joel