When the Document Lies: How Forensic Analysis Catches Forged PDFs
By Lucas Flores, Digital Forensics Expert Witness
A signed contract arrives by email. The dates line up, the signature looks right, the letterhead is familiar. On its face, nothing is wrong. But a PDF is a container, and what it carries inside often tells a different story than what appears on the page. For attorneys, insurers, and corporate counsel, learning to read that hidden story is the difference between accepting a document at face value and catching a forgery before it costs a case or a client.
In my forensic work, PDF documents come up constantly: disputed contracts, altered invoices, backdated agreements, manipulated reports. This post walks through how a forensic examiner determines whether a PDF has been altered, what the telltale signs of tampering look like, and why some of these techniques hold up under scrutiny while others only point you toward the next question.
A PDF Is Not a Picture of a Document
The first thing to understand is that a PDF is not a flat image. It is a structured file made of objects: text, fonts, images, and a behind-the-scenes table that tells a reader where each object lives in the file. When someone edits a PDF, they rarely rebuild it cleanly from scratch. They open it in an editor, change something, and save. That act of saving leaves traces, and those traces are what a forensic examiner looks for.
Because the format records so much about its own construction, a PDF that has been modified usually carries internal evidence of the modification, even when the visible page looks pristine. The forger controls what you see. They do not always control what the file remembers.
Metadata: The First Place to Look
Every PDF carries metadata, which is data about the document itself rather than its visible content. This typically includes creation date, modification date, the application that produced the file, and sometimes the author or the operating system involved.
The most common red flag here is a mismatch. A document dated three years ago that was supposedly created and never touched since, yet shows a modification timestamp from last week, invites an obvious question. So does a contract that claims to come from a law firm's document system but was last saved by a consumer photo editor. None of this proves forgery on its own. Metadata can be edited, stripped, or simply wrong because of legitimate workflow quirks. But a clean explanation should exist, and when it does not, you have a thread worth pulling.
A useful habit: never treat a single metadata field as conclusive. Treat it as a lead. The strength of a forensic finding comes from multiple independent signals pointing the same direction.
Incremental Updates: The Document That Remembers Its Past
This is the single most powerful concept for catching alterations, and it surprises almost everyone who first encounters it.
When a PDF is edited, the format often does not overwrite the original content. Instead, it appends the changes to the end of the file in what is called an incremental update. The earlier version is still physically present in the file, just no longer pointed to as the current version. The reader displays the latest layer, but the previous layers can be recovered.
In practice, this means a "final" signed agreement can sometimes contain an earlier draft with different numbers, different dates, or different terms sitting quietly underneath. An analyst can extract these prior states and compare them. When the recovered earlier version contradicts the visible one, that is among the most persuasive evidence a forensic examiner can produce, because it shows the document's own editing history rather than relying on an outside interpretation.
Not every PDF preserves this history. Some editors flatten or rewrite the file completely on save, which erases the layers. But when the history survives, it is hard to argue with.
Font and Rendering Inconsistencies
When a forger changes a number or a name inside an existing document, they have to match the surrounding text. That is harder than it sounds. The substituted characters may come from a slightly different font, a different embedding, or a different rendering path than the original text around them.
To the naked eye on screen, the page can look seamless. Under analysis, the altered region may use a font that is not embedded the same way as the rest of the document, or text positioned with coordinates that do not match the original layout grid. A figure that was changed from 5,000 to 50,000 might reveal itself through subtle spacing or a font object that appears nowhere else in the file. These are quiet signals, but they accumulate.
Born-Digital Versus Scanned
It matters enormously whether a document was created digitally from the start or scanned from paper. A born-digital PDF contains selectable, structured text. A scanned document is essentially a photograph of a page, sometimes with a text layer added underneath by optical character recognition.
Forgers sometimes scan an altered printout specifically to destroy the internal evidence described above, because flattening a document into an image strips away metadata layers and incremental history. But that move creates its own suspicion. A document that should be born-digital, such as something generated by an accounting system, has no innocent reason to arrive as a scan of a printout. The absence of expected digital structure is itself a finding.
Digital Signatures and What They Actually Prove
Cryptographic digital signatures, the real kind backed by certificates rather than an image of a handwritten signature, are designed to detect tampering. A valid digital signature confirms that the document has not changed since it was signed and that it was signed by the holder of a particular certificate.
Two cautions for the legal reader. First, a graphic that looks like a signature is not a cryptographic signature. Many forged documents carry a pasted image of a signature with no cryptographic backing at all, which proves nothing about integrity. Second, even a genuine signature only protects content from the moment of signing forward. It says nothing about whether the content was already false when it was signed. Verify what the signature actually covers before relying on it.
What This Means for Building a Defensible Case
Forensic PDF analysis is powerful, but its value in a legal setting depends on doing it properly. A few principles guide how I approach this work.
Preserve the original file exactly as received, including its full email headers and transmission path when possible. Work only from copies, and document every step so the analysis can be reproduced by an opposing expert. The strongest conclusions rest on multiple corroborating signals rather than a single anomaly, because almost any one indicator has an innocent explanation somewhere. And be honest about the limits: forensic analysis can often show that a document was altered, but it cannot always show who did it or when, and a credible report distinguishes clearly between what the evidence proves and what it merely suggests.
That last point matters more than any single technique. Objectivity is what makes testimony survive cross-examination. An examiner who overstates a finding hands the other side an opening. The goal is not to declare every odd timestamp a forgery. It is to know which questions a document cannot answer cleanly, and to recognize when the file itself is quietly contradicting the story it was sent to tell.
The Takeaway
A PDF carries far more than the words on its pages. It carries a record of how it was made and how it was changed, and that record is often beyond the forger's control. For legal professionals, the practical lesson is simple: a document that looks correct is not the same as a document that is correct. The proof, when it exists, is usually inside the file, waiting for someone who knows to look.
If you are weighing whether a document in your matter is what it claims to be, that question is worth answering properly before it reaches a courtroom. Veritas handles document authentication, opposing expert report review, and litigation support for clients across Texas and nationwide.
This article is for general informational purposes and does not constitute legal advice. Forensic findings should be evaluated by a qualified examiner in the context of the specific matter.