According to the CHFI v11 objectives underFile Type AnalysisandMalware Forensics, understanding the internal structure of a PDF file is critical when investigating malicious documents. A standard PDF file consists of four main components:Header, Body, Cross-reference table (xref), and Trailer (Footer). Among these, thecross-reference table (xref table)plays a pivotal forensic role.
The xref table containsbyte offsets for every object stored in the PDF file, allowing the PDF reader—and forensic investigators—to locate objects directly without reading the entire file sequentially. This enablesrandom accessto objects such as text streams, images, embedded files, JavaScript, and form objects. Additionally, the xref table supportsincremental updates, a mechanism frequently abused by attackers to append malicious content to a legitimate PDF without altering the original data. By analyzing multiple xref sections, investigators can identifydocument revisions, hidden objects, and malicious insertions.
The Header (Option A) only specifies the PDF version, the Body (Option C) contains the actual objects, and the Footer/Trailer (Option D) points to the xref table but does not provide object indexing itself.
CHFI v11 explicitly emphasizesxref table analysiswhen examining suspicious PDF documents, as it is essential for detecting embedded malware, tracing document modifications, and reconstructing attack timelines. Therefore, thecross-reference table (xref table)is the correct and exam-aligned answer
