鑑識分析器¶
ForensicAnalyzer 是 NextPDF Enterprise 的 PDF 數位鑑識工具,能夠完整重建文件的修訂歷史、偵測任何物件層級的變更,並識別簽章後修改——這是法律電子探索(e-Discovery)、合規審計與安全調查的核心能力。
鑑識能力概覽¶
| 能力 | 說明 |
|---|---|
| 修訂時間軸重建 | 解析所有增量更新,重建每次修訂的快照 |
| 物件變更偵測 | 比對任意兩個版本間的物件層級差異 |
| 簽章後修改偵測 | 識別數位簽章後發生的文件修改(Incremental Save Attack) |
| 中繼資料一致性分析 | 比對 XMP 中繼資料、Info 字典與實際內容時間戳 |
| 隱藏物件探索 | 發現孤立物件、未引用流、交叉參考表不一致 |
| 字型 / 圖像追蹤 | 識別後期插入的字型資源與圖像替換 |
| 作者工具識別 | 透過 Producer / Creator 欄位與結構特徵識別生成工具 |
核心 API¶
ForensicAnalyzer¶
use NextPDF\Enterprise\Security\Forensics\ForensicAnalyzer;
use NextPDF\Enterprise\Security\Forensics\ForensicReport;
$analyzer = new ForensicAnalyzer(
analyzeIncrementalUpdates: true,
detectSignatureBypass: true,
extractHiddenObjects: true,
crossRefAnomalyDetection: true,
);
$report = $analyzer->analyze($pdfBytes);
echo $report->revisionCount(); // 修訂版本總數
echo $report->hasPostSignatureChanges(); // 是否有簽章後修改
echo $report->riskScore(); // 0-100 風險評分
echo $report->trustLevel()->name; // TRUSTED | SUSPICIOUS | COMPROMISED
PHP Compatibility
This example uses PHP 8.5 syntax. If your environment runs PHP 8.1 or 7.4, use NextPDF Backport for a backward-compatible build.
修訂時間軸¶
use NextPDF\Enterprise\Security\Forensics\RevisionTimeline;
$timeline = $report->revisionTimeline();
foreach ($timeline->revisions() as $revision) {
echo sprintf(
'Revision %d: %s — %d objects changed, author: %s, tool: %s',
$revision->number(),
$revision->timestamp()?->format('c') ?? '(no timestamp)',
count($revision->changedObjects()),
$revision->claimedAuthor() ?? '(unknown)',
$revision->producerTool() ?? '(unknown)',
);
// 每個修訂版本的物件變更
foreach ($revision->changedObjects() as $change) {
echo sprintf(
' obj %s: %s → %s',
$change->objectRef(),
$change->previousType()->name,
$change->currentType()->name,
);
}
}
物件變更偵測¶
use NextPDF\Enterprise\Security\Forensics\ObjectDiff;
// 比對兩個特定修訂版本
$diff = $analyzer->diff(
fromRevision: 2,
toRevision: 5,
pdfBytes: $pdfBytes,
);
foreach ($diff->changes() as $change) {
echo $change->objectRef(); // 如 "obj 42 0"
echo $change->changeType()->name; // ADDED | MODIFIED | DELETED | REPLACED
echo $change->contentHash(); // 內容雜湊(可用於比對)
if ($change->isContentModified()) {
echo $change->previousContentSummary();
echo $change->currentContentSummary();
}
}
簽章後修改偵測¶
這是最高優先級的鑑識能力,能識別「Incremental Save Attack」——攻擊者在已簽署文件上附加增量更新來修改內容,同時讓簽章顯示為有效:
use NextPDF\Enterprise\Security\Forensics\SignatureCoverageAnalyzer;
$coverageAnalyzer = new SignatureCoverageAnalyzer();
$coverageResult = $coverageAnalyzer->analyze($pdfBytes);
foreach ($coverageResult->signatures() as $sig) {
echo sprintf(
'Signature "%s" by %s covers %d%% of document bytes',
$sig->fieldName(),
$sig->signerDN(),
$sig->coveragePercent(),
);
if ($sig->hasUncoveredModifications()) {
echo '⚠ ALERT: Post-signature modifications detected!';
foreach ($sig->uncoveredChanges() as $change) {
echo ' Modified: ' . $change->objectRef() . ' (' . $change->summary() . ')';
}
}
}
鑑識報告產生¶
use NextPDF\Enterprise\Security\Forensics\ForensicReportBuilder;
// 產生適合法庭呈交的鑑識報告
$evidenceReport = ForensicReportBuilder::create($report)
->withExaminerInfo(
name: 'Dr. Chen Wei-Ming',
credentials: 'CFCE, EnCE',
organization: 'Digital Forensics Lab',
)
->withCaseInfo(
caseNumber: '2025-CF-00789',
examDate: new DateTimeImmutable(),
methodology: 'ISO/IEC 27037:2012',
)
->includeTimeline()
->includeObjectDiff()
->includeSignatureCoverage()
->includeRawHexSamples(maxBytes: 256)
->buildAsPdf();
風險評分說明¶
| 評分範圍 | Trust Level | 觸發條件範例 |
|---|---|---|
| 0–20 | TRUSTED | 單一修訂,簽章完整覆蓋,中繼資料一致 |
| 21–50 | LOW_RISK | 多次修訂但均在簽章前,生成工具已知 |
| 51–75 | SUSPICIOUS | 簽章後有增量更新,中繼資料時間戳不一致 |
| 76–100 | COMPROMISED | 簽章後內容修改,隱藏物件,交叉參考表損毀 |