±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 3 Overall: 36489
New Yesterday: 5 Visitors: 185

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Doctored PDF?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts

Senior Member

Doctored PDF?

Post Posted: Dec 12, 19 14:44

Hello wonder if anyone can help

I'm looking at a PDF which appears to be a scanned copy of a letter on our headed paper, with a certification stamp.

The question I have been asked is, is there a way of telling if the original scanned letter was doctored with the stamp?

I'm not hopeful, but wondered if anyone had a line I could follow. I don't have my hands on the PDF yet, I'll share properties details when available.



Senior Member

Re: Doctored PDF?

Post Posted: Dec 12, 19 20:02

STEP #1: Use OSForensics or equivalent to extract embedded text from the PDF files

STEP #2: Search for and tag both XML Stream metadata values designated by the <xap:MetadataFieldname>......</xap:MetadataFieldname> beginning and ending metadata field delimiters.

Adobe software will embed XML Stream metadata values in PDF files to record user activity such as embedding a new JPEG image file into an existing PDF file; to the extent there is EXIF metadata values embedded with the JPEG file added to the PDF file, Adobe software will automatically extract such EXIF metadata and record the values using the "<xap:...> delimiter.

STEP #3: Identify and tag the operating system generated Created/Accessed/Modified metadata date values, which always appear at the very end, or bottom of PDF file embedded text and are delimited by "/", not "<xap:>"; example of system generated Creation data is "/Created".

So, any "manipulation" or changes made to a PDF file such as adding a "certification stamp" will be recorded using the XML Stream <xap:> delimiter.  

Page 1 of 1