Find a blank PDF form?
We are dealing with a trucking company that hauls road base to several cities in the state of Texas. They suspect that one of their adminsitartive employees has been embezzling. They belive she has a blank PDF file (used like a template but not in a template format) saved somewhere in her files that can be used for generating false work orders, false invoices, and she gets a front company to collect the real money.
Problem is, there is about 1TB of various PDF documents in various folders connected to her user account. They want us to find the one, blank 'template' PDF document she is using to generate the counterfeits.
My first idea is to export all PDFs, sort them by size, and begin looking at the 'smaller' ones. However, that could still leave us with maybe 300,000 files.
Does anyone have a most excellent idea we can use?
"Focus on the Whole Truth"
C.M. "Mike" Adams EnCE, LPI, TALI
Prime Focus Forensics
P.O. Box 847
Hutto, TX 78634
We use voice dictation software. Sometimes the software gets it right, other times it just writes it wrong - (homophones)
X-ways has a fuzzy doc feature that searches documents for other documents containing the same words.
If you were to put a blank template in as a search, you could look for documents that had a 100%, or very close, match.
Thank you so much for your response. Only good people take the time to help, so, you must be a 'good people'.
I am going to try that!!
Why does it need to be a "blank" PDF?
That doesn't make sense for two reasons.
1) The are lots of PDF editors available now that can edit existing PDFs, just like you are editing a Word document. No need for a blank one. We use FoxIT Phantom for editing PDFs, but there are other options.
2) Very few people create new PDF documents from old PDF documents. Much more typical is to work from a source document. e.g. start with a Word or Excel file or some cloud based system and then Save to PDF. Or create PDFs directly from the company's accounting system. Could even be using Photoshop to edit scanned PDFs.
But if you needed to, searching the PDFs should pretty easy. Make a text index and just search for some of the known text. If you can limit the search by date / time or file size that can help. Maybe using negative keywords can help as well if you are looking for a "blank" document. You should also be looking at what documents have recently been opened in Word & Excel, if the user has access to the accounting system, if a PDF editor is installed on the machine (and what files it recently opened). Also check the metadata in the PDF file itself, they often have details about what software created the PDF. Do the PDFs have a text layer or are they scanned bitmaps that need OCR?
Pretty much all the major forensics tools can do all of this for you. If you need specific directions let me know.
Out of curiosity - what would having a blank document prove? Are these work-orders and invoices only generated from an automated system into PDF format, once properly filled out in the generating system, and therefore the existence of a blank one in theory not being possible, and therefore suspicious?
Perhaps coming at this from a different angle, assuming the suspect isn't particularly techy, before trawling huge amounts of data, it might be worth having a quick flick through things like the MRU lists, Jump Lists, shortcuts in Recent folder, etc. You never know you might find there's a small number of items worth checking first before you do a bigger trawl of everything.