Hello wonder if anyone can help
I'm looking at a PDF which appears to be a scanned copy of a letter on our headed paper, with a certification stamp.
The question I have been asked is, is there a way of telling if the original scanned letter was doctored with the stamp?
I'm not hopeful, but wondered if anyone had a line I could follow. I don't have my hands on the PDF yet, I'll share properties details when available.
STEP #1 Use OSForensics or equivalent to extract embedded text from the PDF files
STEP #2 Search for and tag both XML Stream metadata values designated by the
Adobe software will embed XML Stream metadata values in PDF files to record user activity such as embedding a new JPEG image file into an existing PDF file; to the extent there is EXIF metadata values embedded with the JPEG file added to the PDF file, Adobe software will automatically extract such EXIF metadata and record the values using the "
STEP #3 Identify and tag the operating system generated Created/Accessed/Modified metadata date values, which always appear at the very end, or bottom of PDF file embedded text and are delimited by "/", not "
So, any "manipulation" or changes made to a PDF file such as adding a "certification stamp" will be recorded using the XML Stream