A PDF is more than the pixels you see. Every file carries a second layer — the Info dictionary, XMP metadata stream, cross-reference tables, embedded font subsets, image EXIF, and (sometimes) a cryptographic signature. That layer records who produced the document, with what software, when it was created, and whether it has been re-saved since.
For fraud, risk, and compliance teams, PDF metadata forensics is one of the fastest and most reliable ways to test document authenticity. It works against hand-edited fakes, off-the-shelf 'novelty' document generators, and increasingly against AI-generated documents — all of which tend to leave the same telltale fingerprints in the file's structure.
This guide walks through the nine metadata surfaces that matter most, in the order we recommend checking them, and closes with a fast review workflow you can run on a single document in a few minutes.
Scope: This is a review guide for document reviewers, fraud analysts, and compliance teams. It is not legal advice and does not replace your organization's escalation or verification process.
The 9 metadata signals to check
1. Producer and Creator strings
Every PDF records the software that produced it. Bank, government, and enterprise systems typically emit consistent Producer strings from their rendering pipeline — for example an internal reporting engine, a well-known enterprise PDF library, or a specific server-side toolchain.
When a document that claims to be a bank statement, tax return, or utility bill reports a Producer like 'Microsoft Word', 'LibreOffice', 'Preview', or a mobile 'Print to PDF' driver, treat that as a strong signal. Legitimate institutional PDFs are almost never produced by consumer editors.
Compare against a known-good sample from the same issuer. Even small shifts in the Producer or Creator string (version numbers that don't exist, a Creator that contradicts the Producer) are worth flagging.
2. Creation vs Modification dates
PDFs store both a CreationDate and a ModDate in their metadata. In an untouched, freshly-issued document the two match to the second — the file was rendered once and saved.
If ModDate is later than CreationDate, the file has been re-saved after generation. Sometimes that's benign (a legitimate re-flatten). Often it isn't. A statement 'issued' months ago but modified yesterday deserves scrutiny.
Cross-check the dates against the document's own content. A tax form dated April 2025 with a CreationDate of April 2024 is contradictory on its face.
3. Author, Title, Subject, and Keywords fields
The XMP and Info dictionaries carry an Author field that is often left populated when a document is edited on a personal machine. A statement that lists a personal name — especially the applicant's own name — as the Author is a red flag.
Title, Subject, and Keywords fields on institutional PDFs are usually empty or use a mechanical template. Freeform values like 'edited copy final v3' or 'statement fixed' surface immediately in the Info dictionary.
4. Incremental updates and the trailer chain
PDFs support incremental updates — every save appends a new cross-reference table and trailer to the end of the file instead of rewriting it. A clean, one-shot export from an issuer has exactly one %%EOF marker and one trailer.
Multiple %%EOF markers, stacked xref sections, or object streams added after the original trailer indicate the file was opened and re-saved at least once. Some editors also leave the previous xref addressable, so recovered content can sometimes reveal what was changed.
This is difficult to check by eye. A hex viewer or a dedicated PDF forensic tool is the practical way to inspect the trailer chain.
5. Digital signatures and long-term validation
Many banks, tax authorities, and enterprise document platforms sign their PDFs. A valid, unbroken cryptographic signature is the strongest single signal of authenticity — and a broken or missing signature on a document type that is normally signed is one of the strongest signals of tampering.
Check the signature's status (valid / invalid / unknown), the signer certificate chain, whether the signature covers the entire document, and whether any changes were made after signing. 'Signed, then modified' is functionally the same as unsigned.
6. XMP metadata and hidden history
Beyond the Info dictionary, PDFs carry an XMP metadata stream that many editors quietly extend. Adobe products, for example, can leave a Document History (xmpMM:History) block that lists every 'saved', 'converted', and 'edited' action along with timestamps and the software involved.
This block is one of the most valuable forensic surfaces in a PDF. When present, it can expose exactly which editor touched the file, in what order, and when — even if the visible content looks clean.
7. Object-level edit traces
Inside a PDF, text is stored as content-stream operators positioned by coordinates. Genuine renderers lay text out in predictable order and non-overlapping regions. Manual edits often leave signatures: text objects positioned on top of other text (to cover an old value), whitespace-filled rectangles used to blank out the original glyphs, or fonts that appear in one line and nowhere else.
Similarly, replacing a logo or a value often introduces a Form XObject or an Image XObject that is inconsistent in resolution, color profile, or compression with the rest of the file.
8. Font subsets and embedded resources
Institutional PDFs typically use a small, consistent set of embedded font subsets across every page. An edit made in a different tool almost always introduces a new font subset — often a stock system font (Helvetica, Arial, Times New Roman) that doesn't appear anywhere else in the document.
Enumerate the fonts in the file. A single line rendered in a font that is used nowhere else is a strong tampering signal.
9. EXIF metadata on embedded images
PDFs frequently embed scans and photos — of IDs, signatures, receipts, cheques — as image XObjects. Those images can retain EXIF metadata: camera make and model, capture timestamp, software used, and sometimes GPS coordinates.
EXIF that contradicts the story around the document is a powerful signal. A 'photo of an original ID card' whose EXIF says the image was produced by an image editor, or whose timestamp is years off, undermines the document as a whole.
For a deeper visual layer, ELA (Error Level Analysis) on the extracted images can highlight regions that were re-compressed at different levels — a classic sign of localised edits.
You can also run automated metadata fraud detection across both PDF and image layers in one pass.
A fast metadata review workflow
- Open the PDF properties and read the Producer, Creator, and Author (Signals 1, 3).
- Compare CreationDate vs ModDate; note any gap (Signal 2).
- Validate any digital signature end-to-end (Signal 5).
- Scan the XMP stream for a Document History block (Signal 6).
- Count %%EOF markers and inspect the trailer chain (Signal 4).
- Enumerate fonts; flag any that appear on only one line (Signal 8).
- Extract embedded images and read their EXIF (Signal 9).
For teams reviewing more than a handful of documents a week, automate all seven steps and reserve human time for the corroboration pass. You can inspect a PDF for tampering signals or view a redacted sample fraud report to see what an automated metadata review produces.
When to escalate
Escalate to a manual review, a second opinion, or a direct verification with the issuer when any of the following fire:
- Producer/Creator strings inconsistent with the claimed issuer.
- A ModDate later than CreationDate with no legitimate explanation.
- A missing, broken, or post-signing-modified digital signature on a normally signed document type.
- XMP Document History that lists a consumer editor.
- EXIF on an embedded image that contradicts the document's story.
Where appropriate, request the original issuer-signed PDF or verify the underlying data through an approved channel.
FAQ
What is PDF metadata forensics?
PDF metadata forensics is the practice of inspecting the non-visible structure of a PDF — its Info dictionary, XMP stream, trailer chain, signatures, fonts, and embedded image EXIF — to determine whether a document was tampered with, re-saved, or produced by software that contradicts its claimed origin.
How do you check if a PDF is authentic?
Start with three checks: the Producer and Creator strings should be consistent with the claimed issuer, the CreationDate and ModDate should match (or the modification should be explainable), and any expected digital signature should validate cleanly against the entire document. If all three hold and the visible content reconciles, the file is very likely authentic.
Can EXIF data prove a document was forged?
EXIF alone rarely 'proves' forgery, but it is highly probative. When an embedded image carries EXIF that lists an image editor as the software, timestamps that contradict the document, or a camera model inconsistent with the applicant's story, that is strong corroborating evidence — especially when combined with PDF-level signals like edit traces or a broken signature.
Does removing metadata from a PDF prove tampering?
Not on its own. Many privacy-conscious workflows strip metadata deliberately. However, an aggressively 'flattened' PDF that also lacks the expected Producer string of the claimed issuer, or that contradicts the visible content in other ways, is more suspicious than one with normal institutional metadata intact.
What tools are used for PDF metadata forensics?
Common tools include command-line utilities that expose the Info and XMP dictionaries, hex viewers to inspect the trailer chain, PDF signature validators, and image-forensics tools (EXIF readers and Error Level Analysis) for embedded images. In production, most fraud teams run these checks through an automated pipeline rather than by hand.
Can AI-generated PDFs be detected through metadata?
Often yes. AI-generated documents are typically rendered by consumer PDF libraries or 'Print to PDF' drivers, which leaves a Producer string that does not match any real issuer. They also usually lack a valid digital signature, and their embedded images frequently carry EXIF from an image generator or none at all. Metadata forensics is one of the most reliable signals against AI-produced document fraud.
Verify PDFs at scale
Run every metadata check above in seconds with TrueDoc.
Building this into your stack? Explore the document fraud detection API.