According to the CHFI v11 objectives under File Type Analysis and Malware Forensics , understanding the internal structure of a PDF file is critical when investigating malicious documents. A standard PDF file consists of four main components: Header, Body, Cross-reference table (xref), and Trailer (Footer) . Among these, the cross-reference table (xref table) plays a pivotal forensic role.
The xref table contains byte offsets for every object stored in the PDF file , allowing the PDF reader—and forensic investigators—to locate objects directly without reading the entire file sequentially. This enables random access to objects such as text streams, images, embedded files, JavaScript, and form objects. Additionally, the xref table supports incremental updates , a mechanism frequently abused by attackers to append malicious content to a legitimate PDF without altering the original data. By analyzing multiple xref sections, investigators can identify document revisions, hidden objects, and malicious insertions .
The Header (Option A) only specifies the PDF version, the Body (Option C) contains the actual objects, and the Footer/Trailer (Option D) points to the xref table but does not provide object indexing itself.
CHFI v11 explicitly emphasizes xref table analysis when examining suspicious PDF documents, as it is essential for detecting embedded malware, tracing document modifications, and reconstructing attack timelines. Therefore, the cross-reference table (xref table) is the correct and exam-aligned answer
