Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: bradshaw48
New Today: 1
New Yesterday: 1
Overall: 29280

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Final Year Project
 Android devices with PIN screen lock and without USBdebb. on
 Can file creation and modifications on pendrives be found?
 Viewing real MAC times of a timestomped file
 software that can view files in Volume Slack

Computer Forensics World Forums


Pages Served
We received
49763435
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - How to tell when a pdf file was made
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

How to tell when a pdf file was made

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues
View previous topic :: View next topic  
Author Message
gator
Newbie
Newbie


Joined: Feb 16, 2013
Posts: 4

PostPosted: Sun Feb 17, 2013 2:19 pm    Post subject: How to tell when a pdf file was made Reply with quote

We need to be able to prove the actual date when pdf files were scanned/created by a document scanner. Obvious tests are to look at properties in Adobe Acrobat, the pdf creation date, and the file creation/modified date. Yet we are aware you can set the bios clock back on a computer to a previous date and create a file that shows a different date.

How can we prove the original date the documents were scanned? Is there anything in the file itself that would have changed on subsequent views, is there a chain of custody of everyone or every time the file has been opened/modified, file name changes, record of previous places the file was stored or saved in directories?

Would appreciate any tips on a good utility for forensic analysis of pdf files.
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 237

PostPosted: Sun Feb 17, 2013 7:12 pm    Post subject: Re: How to tell when a pdf file was made Reply with quote

gator wrote:
How can we prove the original date the documents were scanned?


What you can do is investigate possible solutions for scanning documents into PDF form, enumerate what traces they each leave (with different settings), and compare with what you have.

As for the time, ... you will have to go with whatever source of time the system you are examining used. As you don't say, it can be anything from a printer/scanner combination, relying on manually set time, to a workstation, relying on an NTP server.

Quote:
Is there anything in the file itself that would have changed on subsequent views, is there a chain of custody of everyone or every time the file has been opened/modified, file name changes, record of previous places the file was stored or saved in directories?


Unlikely. There's nothing like that mentioned in the PDF Reference Manual (which you may need to be familiar with), and while a single tool may add its own extensions, it's unlikely.

PDF does allow for incremental changes, though, so if you have a PDF editor and just 'Save', you may get an incremental update, which just unlinks previous contents and adds the new. But that depends on the tool used. Adobe Acrobat used to do that -- but I haven't checked it for ages, so I don't know if it still does. Other tools don't do it at all.
Back to top
View user's profile
gator
Newbie
Newbie


Joined: Feb 16, 2013
Posts: 4

PostPosted: Mon Feb 18, 2013 6:08 am    Post subject: Reply with quote

Quote:
What you can do is investigate possible solutions for scanning documents into PDF form, enumerate what traces they each leave (with different settings), and compare with what you have.


Didn't understand your answer. Did you mean to say that different software/hardware solutions leave different traces of date and time?

Comparing with what we have? What we have are the files with the questionable dates. We think the individual who provided these files might have set the system date and time back, scanned the documents, and provided the files under the guise of having been previously scanned, years ago. That's what we are trying to disprove.

We heard something about .pdf files, or files in general, accumulating a "chain of custody" with time and date stamp, somewhere in their own file structure as they pass from one system to the next, possibly each time they are opened by a different computer or user. Not true?
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Mon Feb 18, 2013 2:53 pm    Post subject: Reply with quote

In most cases, it does not work like that. You are going to need to find another way to prove the files were not created when claimed. It sounds as though this may be a serious case. If it is, you need to stop mucking around and hire a professional. You can only do more harm trying to do this stuff by yourself.
Back to top
View user's profile
gator
Newbie
Newbie


Joined: Feb 16, 2013
Posts: 4

PostPosted: Tue Feb 19, 2013 12:53 am    Post subject: Reply with quote

What is a good utility that can be used to examine all available metadata relating to the .pdf file?
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Tue Feb 19, 2013 1:16 am    Post subject: Reply with quote

Open the file with Acrobat or Acrobat Reader and select document properties. You can then view the metadata from the file. However, I can guarantee there will not be the information that you are seeking. You need to be examining the computer that was used to create the file, not the file. Again, hire a professional if this is important. Mucking around will only make it so that any evidence is no longer reliable.
Back to top
View user's profile
gator
Newbie
Newbie


Joined: Feb 16, 2013
Posts: 4

PostPosted: Fri Feb 22, 2013 2:44 pm    Post subject: Reply with quote

So far, we don't have the ability to examine the computer that was used to create the files. The files were shared to our lawyer on a mobile USB stick, we received a copy of those files. That is why we are trying to identify methods of examining the files themselves.
Back to top
View user's profile
Harold86
Newbie
Newbie


Joined: Jun 09, 2015
Posts: 3

PostPosted: Wed Jun 10, 2015 3:38 am    Post subject: Reply with quote

gator wrote:
What is a good utility that can be used to examine all available metadata relating to the .pdf file?


Payne - Metadata Assistant... Great tool.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.