PDF File provenance
I have a case in which an employee has been accused of generating false medical claims using a combination of scanned images, Microsoft word and PDF files. I have created a forensic image of the suspects drive and created a captured the subjects network folder in which some of the documents have been stored. It looks the like the subject has scanned a receipt, embedded the image in a word document and then added a payment acknowledgement stamp and signature. The aforementioned signature has been embedded in the word document together with the payment stamp. The subject has then created a PDF file from the word document and submitted that as proof of payment.
I'm now trying to correlate the various components ( the snippets, embedded images and word documents ) to establish how these pdf files were created. There is very little detail in the metadata as far as I can see or may be i'm missing a trick here. Has anyone got experience of this kind of examination or perhaps used a forensic tool that can provide some vital clues?
Any assistance would be very much appreciated.