fatcousin
// case type

document forgery / disputed authenticity

is this PDF / docx genuine? revision history, metadata genealogy, ghost text, embedded objects, signature chains.

tools
15
priority
M
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. pdf object explorerdrop a PDF · parse raw object tree · detect embedded JavaScript · /Launch actions · encrypted streams · /EmbeddedFile · suspicious patterns · export report · runs locally
  2. pdf forensicsdrop a pdf · inspect objects and streams · extract javascript · embedded files · suspicious actions · object tree · malware analysis · runs locally
  3. pdf incremental update forensic analyzerdrop pdf file · detect and analyze incremental updates appended to the pdf · reconstruct the document modification history · surface what changed between each update · identify signature bypass attacks via incremental updates · runs locally
  4. pdf author and revision metadata deep analyzerdrop pdf file · extract all document information dictionary and xmp metadata · parse creation and modification timestamps · surface author software version revision count and producer chain · runs locally
  5. pdf digital signature chain analyzerdrop pdf file · extract and analyze all digital signatures · validate signature structure · reconstruct certificate chains · surface signer identity timestamps and what content was signed · runs locally
  6. office document version ghost content extractordrop doc xls ppt ole2 office files · scan free sectors · padding slack · recover ghost text from previous saves · runs locally
  7. document metadata genealogy tracerdrop related documents · trace ancestor versions through metadata · revision counts · author chains · template references · printer fingerprints · reconstruct document family history · runs locally
  8. tracked changes forensic reconstructordrop docx file · extract all tracked insertions deletions and format changes · reconstruct the full editing history by author · surface deleted content and identify who removed what · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. ooxml hidden content extractordrop docx xlsx pptx file · extract all hidden text rows columns slides and layers · surface content invisible in normal view · identify data intentionally hidden within the document structure · runs locally
  2. office coauthoring session artifact extractordrop docx xlsx pptx · coauthoring session data · user identity guids · session timestamps · edit attribution per section · survives track changes acceptance · runs locally
  3. office document revision history extractordrop docx xlsx pptx or odt file · extract full revision and version history metadata · reconstruct authorship timeline · surface who created modified and saved the document and when · runs locally
  4. embedded ole object extractordrop docx xlsx pptx or doc xls ppt file · extract all embedded ole objects · identify embedded documents executables and packages · compute hashes · surface embedded objects with suspicious types or contents · runs locally
  5. document template origin tracerdrop docx or dotx file · extract template attachment information · trace document lineage to original template · identify template server paths revealing organizational infrastructure · surface template metadata for attribution · runs locally
  6. document metadata inconsistency finderdrop docx xlsx pptx pdf · core app props vs pdf info · temporal author revision heuristics · tracked changes timeline · runs locally
  7. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • document forgery — authenticity kit

    8 steps

    drop disputed PDFs → object forensics → incremental updates → author metadata → stego surface scan → signature chain → genealogy → report

    1. 01evidence-manifest-generatorhash every PDF before any parsing — baseline for chain-of-custody
    2. 02pdf-forensicsobject tree, streams, embedded files, javascript actions
    3. 03pdf-incremental-update-analyzerdetect post-creation edits saved as incremental updates
    4. 04pdf-author-revision-metadata-analyzerauthor / producer / creation-modification timestamp conflicts
    5. 05pdf-stego-checkerwhitespace ratios, invisible text operators, stream trailer anomalies
    6. 06pdf-digital-signature-chain-analyzervalidate signature chains and certificate coverage
    7. 07document-metadata-genealogy-tracertrace metadata lineage across related documents in the input set
    8. 08case-report-generatordraft a report summarizing edit history + authenticity red flags

  • stego — image extract + sweep

    5 steps

    drop PNG/BMP → LSB extract with options → brute-force common stego paths → report

    1. 01evidence-manifest-generatorhash images before extraction attempts
    2. 02lsb-stego-extractorconfigurable LSB bit extraction — magic header detection
    3. 03stego-brute-forcersweep OpenStego / SilentEye / LSB combo paths + optional wordlist file
    4. 04image-stego-detectorchi-square / RS statistical stego detection on decoded pixels
    5. 05case-report-generatordraft a report on extracted payloads and statistical stego signals
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

+ 14 more in this pattern match. browse the full forensics catalog via the forensics category.

ready