fatcousin
// case comparison

doc forgery vs invoice fraud

a disputed PDF arrives — is it a forged contract or a fraudulent invoice with swapped bank details? both touch PDF metadata, but document forgery is authenticity and revision genealogy; invoice fraud is AP payment redirect and vendor approval chain. counsel and AP need different proof frames.

primary tools · side by side

ordered entry points from the case-type taxonomy. highlighted rows appear in both case types' editorial tool lists.

case a

document forgery / disputed authenticity

is this PDF / docx genuine? revision history, metadata genealogy, ghost text, embedded objects, signature chains.

  1. 01pdf object explorerdrop a PDF · parse raw object tree · detect embedded JavaScript · /Launch actions · encrypted streams · /EmbeddedFile · suspicious patterns · export report · runs locally
  2. 02pdf forensicsdrop a pdf · inspect objects and streams · extract javascript · embedded files · suspicious actions · object tree · malware analysis · runs locally
  3. 03pdf incremental update forensic analyzerdrop pdf file · detect and analyze incremental updates appended to the pdf · reconstruct the document modification history · surface what changed between each update · identify signature bypass attacks via incremental updates · runs locally
  4. 04pdf author and revision metadata deep analyzerdrop pdf file · extract all document information dictionary and xmp metadata · parse creation and modification timestamps · surface author software version revision count and producer chain · runs locally
  5. 05pdf digital signature chain analyzerdrop pdf file · extract and analyze all digital signatures · validate signature structure · reconstruct certificate chains · surface signer identity timestamps and what content was signed · runs locally
  6. 06office document version ghost content extractordrop doc xls ppt ole2 office files · scan free sectors · padding slack · recover ghost text from previous saves · runs locally
  7. 07document metadata genealogy tracerdrop related documents · trace ancestor versions through metadata · revision counts · author chains · template references · printer fingerprints · reconstruct document family history · runs locally
  8. 08tracked changes forensic reconstructordrop docx file · extract all tracked insertions deletions and format changes · reconstruct the full editing history by author · surface deleted content and identify who removed what · runs locally
case b

invoice fraud / vendor account change

fraudulent invoice + bank-detail-change request. tightly coupled to BEC but specifically about the paid-invoice artifact and approval chain.

  1. 01email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
  2. 02email thread reconstructordrop multiple .eml files · Message-ID References In-Reply-To tree · missing parent flags · flat timeline · CSV export · runs locally
  3. 03.eml / .msg email header chain analyzerdrop eml or msg email file or paste raw headers · parse all headers · reconstruct the full routing chain · extract all forensically significant fields · surface inconsistencies in the header chain · runs locally
  4. 04pdf object explorerdrop a PDF · parse raw object tree · detect embedded JavaScript · /Launch actions · encrypted streams · /EmbeddedFile · suspicious patterns · export report · runs locally
  5. 05pdf forensicsdrop a pdf · inspect objects and streams · extract javascript · embedded files · suspicious actions · object tree · malware analysis · runs locally
  6. 06pdf author and revision metadata deep analyzerdrop pdf file · extract all document information dictionary and xmp metadata · parse creation and modification timestamps · surface author software version revision count and producer chain · runs locally
  7. 07document metadata genealogy tracerdrop related documents · trace ancestor versions through metadata · revision counts · author chains · template references · printer fingerprints · reconstruct document family history · runs locally
  8. 08document metadata inconsistency finderdrop docx xlsx pptx pdf · core app props vs pdf info · temporal author revision heuristics · tracked changes timeline · runs locally

editorial overlap

10 tools mapped to both case types in the editorial taxonomy — useful when the investigation spans both surfaces.
document metadata genealogy traceroffice document version ghost content extractorfatcousin cross export ioc hash correlatorfatcousin multi tool super timeline correlatordocument metadata inconsistency finderpdf author and revision metadata deep analyzerpdf digital signature chain analyzerpdf forensicspdf object explorertracked changes forensic reconstructor

lean toward…

disambiguation signals derived from case-type descriptions and common practitioner confusion points.

lean toward doc forgery if you see…

  • ghost text layers, incremental update stack, or signature-chain break on disputed contract or deed PDF
  • PDF revision genealogy anomaly without AP vendor bank-change workflow or bill.com audit trail
  • document-version ghost extractor artifacts — authenticity dispute, not payment redirect chain

lean toward invoice fraud if you see…

  • vendor bank-detail change request embedded in invoice PDF with AP approval-chain tamper
  • bill.com or AP audit log vendor bank-change anomaly tied to paid-invoice artifact
  • invoice PDF revision with routing-number edit in ERP/AP export — not standalone contract authenticity dispute
ready