// case type
invoice fraud / vendor account change
fraudulent invoice + bank-detail-change request. tightly coupled to BEC but specifically about the paid-invoice artifact and approval chain.
start here · primary tools
ordered. work top-down. the first tool is the suggested entry point for this case type.
- email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
- email thread reconstructordrop multiple .eml files · Message-ID References In-Reply-To tree · missing parent flags · flat timeline · CSV export · runs locally
- .eml / .msg email header chain analyzerdrop eml or msg email file or paste raw headers · parse all headers · reconstruct the full routing chain · extract all forensically significant fields · surface inconsistencies in the header chain · runs locally
- pdf object explorerdrop a PDF · parse raw object tree · detect embedded JavaScript · /Launch actions · encrypted streams · /EmbeddedFile · suspicious patterns · export report · runs locally
- pdf forensicsdrop a pdf · inspect objects and streams · extract javascript · embedded files · suspicious actions · object tree · malware analysis · runs locally
- pdf author and revision metadata deep analyzerdrop pdf file · extract all document information dictionary and xmp metadata · parse creation and modification timestamps · surface author software version revision count and producer chain · runs locally
- document metadata genealogy tracerdrop related documents · trace ancestor versions through metadata · revision counts · author chains · template references · printer fingerprints · reconstruct document family history · runs locally
- document metadata inconsistency finderdrop docx xlsx pptx pdf · core app props vs pdf info · temporal author revision heuristics · tracked changes timeline · runs locally
also useful · secondary tools
supporting and follow-up tools. surface as the investigation widens.
- tracked changes forensic reconstructordrop docx file · extract all tracked insertions deletions and format changes · reconstruct the full editing history by author · surface deleted content and identify who removed what · runs locally
- office document version ghost content extractordrop doc xls ppt ole2 office files · scan free sectors · padding slack · recover ghost text from previous saves · runs locally
- pdf digital signature chain analyzerdrop pdf file · extract and analyze all digital signatures · validate signature structure · reconstruct certificate chains · surface signer identity timestamps and what content was signed · runs locally
- case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
run as a stack
skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.
invoice fraud — document kit
7 stepsdrop fraudulent invoice PDFs + related .eml → headers → PDF forensics → stego scan → metadata genealogy → report
- 01evidence-manifest-generatorhash invoices + email exports — wire-fraud cases live or die on document integrity
- 02email-header-analyzervalidate the approval-chain email headers for spoofing
- 03pdf-forensicsobject-level inspection of the invoice PDF structure
- 04pdf-author-revision-metadata-analyzercreation vs modification timestamps and author/producer mismatches
- 05pdf-stego-checkercovert-channel surface scan — tampered invoices sometimes hide payload in whitespace
- 06document-metadata-genealogy-tracercompare metadata across the invoice set for template reuse
- 07case-report-generatordraft a report for finance + legal on document authenticity red flags