document forgery / disputed authenticity — quick-start

checklist

1. do not open the suspect document in Word, Acrobat in edit mode, or any tool that may alter metadata — open read-only or with a forensic viewer.
2. hash the suspect document sha-256 before any analysis — the hash is the first link in the custody chain.
3. export document properties: author, created date, modified date, last-printed date, company, and revision count.
4. note whether the font, layout, or template matches the purported issuing organization's known letterhead style.
5. extract embedded objects from PDFs — images, fonts, and attachments may carry timestamps or source metadata.
6. compare document metadata dates to the claimed execution date — backdated documents often have creation dates after the claimed date.
7. identify any whiteout, text-over-image, or invisible-layer artifacts — common in scanned-then-retyped forgeries.
8. pull certificate chain for digitally signed PDFs — note signer, certificate authority, timestamp, and validity period.
9. if a wet-ink signature is in dispute: note paper texture, signature ink color, and margin alignment with the body text.
10. begin the primary tool path below — PDF forensics tool and document metadata extractor.

primary tools

1. 01pdf object explorerdrop a PDF · parse raw object tree · detect embedded JavaScript · /Launch actions · encrypted streams · /EmbeddedFile · suspicious patterns · export report · runs locally
2. 02pdf forensicsdrop a pdf · inspect objects and streams · extract javascript · embedded files · suspicious actions · object tree · malware analysis · runs locally
3. 03pdf incremental update forensic analyzerdrop pdf file · detect and analyze incremental updates appended to the pdf · reconstruct the document modification history · surface what changed between each update · identify signature bypass attacks via incremental updates · runs locally
4. 04pdf author and revision metadata deep analyzerdrop pdf file · extract all document information dictionary and xmp metadata · parse creation and modification timestamps · surface author software version revision count and producer chain · runs locally
5. 05pdf digital signature chain analyzerdrop pdf file · extract and analyze all digital signatures · validate signature structure · reconstruct certificate chains · surface signer identity timestamps and what content was signed · runs locally
6. 06office document version ghost content extractordrop doc xls ppt ole2 office files · scan free sectors · padding slack · recover ghost text from previous saves · runs locally
7. 07document metadata genealogy tracerdrop related documents · trace ancestor versions through metadata · revision counts · author chains · template references · printer fingerprints · reconstruct document family history · runs locally
8. 08tracked changes forensic reconstructordrop docx file · extract all tracked insertions deletions and format changes · reconstruct the full editing history by author · surface deleted content and identify who removed what · runs locally

go deeper