Digital Forensics Document Analysis

It is a common occurrence in litigation – one party serves a document in support of their case, and the other party says that the document has been altered after signature, or that they did not sign it at all. The question posed to digital forensics experts is therefore “Is this document genuine?”

That is a deceptively difficult question to answer, for a number of reasons:

1. Documents store limited metadata, so analysis must piece together small “breadcrumbs” of evidence to build up a bigger picture.
2. A scanned document will not contain any of the metadata around the creation of the original document – it will only relate to when and how this copy was created (for example, the scanning software or hardware used, and the time that this occurred).
3. Timestamps are taken from the device used to create or modify the document. In the absence of the device itself for analysis, it is possible that timestamps could be present because the time was maliciously or inadvertently altered on that device.
4. Different software can behave very differently when creating or editing a document. Something which, on the surface may appear to be suspicious, may simply be due to the unusual way the software employed certain functions. It can be helpful in this regard if exemplar documents which are accepted by all parties as genuine can be provided, to give a benchmark for analysis.
5. Depending on the software used, editing a document can potentially be a destructive process – in effect creating a brand-new document that includes the edited data. This leaves limited scope for detection of editing, making the timestamps of when it was created a crucial factor.

It is recommended that the device said to have been used to create the document is also analysed to give the most complete picture surrounding the document’s creation. It is, however, not always possible (e.g. an old device since destroyed), practical (given the time that has passed since creation, computer records may have been lost), proportional (collateral intrusion of surrendering a device for analysis), or that the creating device is within another jurisdiction.

These are all reasons why “is this document genuine?” is a difficult question to answer. The approach I therefore recommend to maximise the usefulness of any findings is a subtly different question – “Is this document consistent with X version of events?”

Providing the details as to when and how a document is alleged to have been created allows for more targeted analysis to prove or disprove that version of events – or perhaps provide reasonable doubt or alternatively, probability, depending on the strength of the available evidence.

Case Study 1

A PDF version of a scanned document was presented to Keith Borer Consultants. As this was a scanned document, there was no metadata relating to the creation of the original document, and the metadata relating to the scanned copy was consistent with it having been scanned and not since altered. Taken without context, an expert may conclude that the document is genuine. Put into context, however, the document was alleged to have been scanned two weeks before the date the metadata suggested it was created – highlighting an issue with the version of events put forward and calling into question the integrity of the document.

Case Study 2

A PDF document was analysed, and the metadata showed that it had been created on the date that it was alleged to have been created. It had been created by exporting to PDF from Microsoft Word, and not modified since. The signature blocks had been added separately in Word, prior to it having been saved to PDF. Adding a signature to a document in this way is not unusual, but worthy of note as it may indicate they were copied from elsewhere. Without context, the results of an examination were likely to be inconclusive as to whether the document was genuine.

The party producing this document, however, alleged that the questioned document had been ‘wet signed’ (i.e. signed in person with a pen), then scanned straight to PDF to produce the supplied document. This version of events was directly contradicted by the evidence. Combined with the evidence that the signature blocks had been inserted into the document prior to saving to PDF, this suggested that the document had been fabricated.

Case Study 3

Sometimes, digital forensics just cannot assist. A letter from a number of years ago was said to have been in hardcopy format, and only recently scanned to a digital format. The available digital evidence is not able to distinguish between this scenario and a falsified document being printed and scanned back in.

It was alleged that the signature has been taken from a genuine letter and transferred to a new document. Our handwriting experts were able to compare the signature from the genuine document against the questioned document – it was found to be an exact match. Genuine signatures all have natural variations within them, meaning that an exact match suggests that it has been copied and pasted from one document to the other.

This example rather neatly demonstrated the manner in which, if one of our disciplines is unable to help in the first instance, another may be able to resolve the issue.

Get in touch if you have a Digital Forensics Document Analysis query

Digital forensics document analysis is limited by the metadata that is stored but has the potential to be a powerful tool in establishing the provenance of a document when the right question is asked. Asking whether a document is consistent with a version of events can be much more probative than simply asking if it is genuine. Get in touch with our Digital Forensics team to discuss your case – call us on 0191 3324999 or email kbc@keithborer.co.uk.