fatcousin
// evidence type

pdf / office document

disputed contract · forged invoice · incremental-save pdf · docx with tracked changes. object trees, revision ghosts, signature chains, metadata genealogy.

tools
13
priority
M
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this evidence type.

  1. pdf forensicsdrop a pdf · inspect objects and streams · extract javascript · embedded files · suspicious actions · object tree · malware analysis · runs locally
  2. pdf object explorerdrop a PDF · parse raw object tree · detect embedded JavaScript · /Launch actions · encrypted streams · /EmbeddedFile · suspicious patterns · export report · runs locally
  3. pdf incremental update forensic analyzerdrop pdf file · detect and analyze incremental updates appended to the pdf · reconstruct the document modification history · surface what changed between each update · identify signature bypass attacks via incremental updates · runs locally
  4. pdf author and revision metadata deep analyzerdrop pdf file · extract all document information dictionary and xmp metadata · parse creation and modification timestamps · surface author software version revision count and producer chain · runs locally
  5. pdf digital signature chain analyzerdrop pdf file · extract and analyze all digital signatures · validate signature structure · reconstruct certificate chains · surface signer identity timestamps and what content was signed · runs locally
  6. office document version ghost content extractordrop doc xls ppt ole2 office files · scan free sectors · padding slack · recover ghost text from previous saves · runs locally
  7. document metadata genealogy tracerdrop related documents · trace ancestor versions through metadata · revision counts · author chains · template references · printer fingerprints · reconstruct document family history · runs locally
  8. tracked changes forensic reconstructordrop docx file · extract all tracked insertions deletions and format changes · reconstruct the full editing history by author · surface deleted content and identify who removed what · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. ooxml hidden content extractordrop docx xlsx pptx file · extract all hidden text rows columns slides and layers · surface content invisible in normal view · identify data intentionally hidden within the document structure · runs locally
  2. office document revision history extractordrop docx xlsx pptx or odt file · extract full revision and version history metadata · reconstruct authorship timeline · surface who created modified and saved the document and when · runs locally
  3. embedded ole object extractordrop docx xlsx pptx or doc xls ppt file · extract all embedded ole objects · identify embedded documents executables and packages · compute hashes · surface embedded objects with suspicious types or contents · runs locally
  4. document metadata inconsistency finderdrop docx xlsx pptx pdf · core app props vs pdf info · temporal author revision heuristics · tracked changes timeline · runs locally
  5. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
ready