When hundreds of financial documents end up at the center of a legal dispute, one question matters above all others: have they been changed? Here's how we answered it — and what we found.
The Scenario
A folder of financial records — over 300 PDF documents — had been shared and downloaded from a cloud storage platform roughly two years before they became relevant to a legal matter. The documents included years of bank statements and tax filings. The question on the table: had anything been modified, deleted, or added to that folder since the day it was downloaded?
Nobody had access to the original cloud storage environment to compare. The only thing available was a forensic image of the computer that had received the download.
That's all we needed.
Why This Question Comes Up More Than You'd Think
In civil litigation, regulatory proceedings, and financial disputes, digital documents are routinely produced as evidence. The natural question — from lawyers, opposing parties, and courts alike — is whether those documents are authentic originals or whether they've been altered after the fact.
A PDF looks the same whether it's genuine or manipulated. You can't tell by looking at it. What you need is forensic analysis: an examination of the file itself, the operating system artifacts surrounding it, and the metadata embedded within it. When multiple independent sources all tell the same story, that story becomes very hard to dispute.
"A PDF looks the same whether it's genuine or manipulated. You can't tell by looking at it."
How We Approached It
Our examination started with a forensic image of the subject computer — a complete, sector-by-sector copy of the hard drive that captures everything, including deleted files, filesystem metadata, and system artifacts. From that image, Magnet AXIOM was used to extract the relevant artifacts, and we then worked through the evidence layer by layer.
Layer 1: Cryptographic Hash Verification
What it is
An MD5 hash is a mathematical fingerprint of a file's complete binary content. Change a single character, and the hash changes entirely. Two files with the same hash are, for all practical purposes, identical.
In this case, a reference forensic report had been independently prepared by another examiner and included MD5 hash values for a subset of the documents. We computed MD5 hashes for all 325 files on the imaged drive and compared them against those reference values.
Result: Every single hash matched the reference values exactly. Not one mismatch across the 71 files for which we had reference values.
Hash verification is the gold standard for document integrity. If the hashes match, the files are identical. It's not a question of opinion or interpretation — it's mathematics.
Layer 2: PDF Internal Metadata
What it is
Every PDF file contains an internal metadata stream that records, among other things, the software that created it, the device it was produced on, and the dates it was created and last modified. This information is embedded inside the file itself — separate from filesystem timestamps and independent of the operating system.
We extracted the internal metadata from all 324 PDF documents. The bank statements consistently identified their creator as the authorized vendor responsible for generating those statements on behalf of the financial institution. The tax filings consistently identified specific Xerox scanning devices. All modification dates recorded within the PDFs predated the download date.
If someone had edited one of these PDFs — even using a tool that tried to hide the changes — the Creator and Producer fields would typically change to reflect the editing software. We saw no such changes. Every file's internal metadata was consistent with an authentic, unaltered original.
Layer 3: Filesystem Timestamps
What it is
The NTFS filesystem used by Windows records when each file was created, modified, and last accessed. These timestamps are stored in the Master File Table (MFT) and are distinct from anything inside the file itself.
All 325 files carried filesystem Created and Modified timestamps within a two-minute window on the same day — the date the files were downloaded. This two-minute spread across 325 files is the signature of a ZIP archive extraction: the files are written to disk sequentially, one after another, creating a tight cluster of timestamps.
No file had a Modified timestamp after the download date. If any file had been edited and re-saved, its Modified timestamp would have updated. None did.
Layer 4: Windows Shell Link (LNK) Files
What it is
Every time you open a file in Windows, the operating system creates a hidden shortcut file called a Shell Link or .lnk file. These are stored separately from the target file and record the target's metadata — including its size and timestamps — at the moment you opened it. They persist even if the target file is later changed or deleted.
We analyzed 1,576 LNK files recovered from the forensic image. Among them were shortcut files pointing to the source ZIP archive containing the documents. Those LNK records showed that the archive was first opened on the same day it was downloaded, and had been accessed several more times in the months since. Critically, the target Modified timestamp recorded by each LNK file — capturing the state of the ZIP at each access — was identical every time: the original download date. The ZIP itself had never changed.
LNK files are particularly valuable because they are created by the operating system automatically, without any user involvement, and are stored in a different location from the files they reference. They are difficult to fabricate convincingly, and the data they contain at each access is a snapshot of the target's state at that moment in time.
Layer 5: Registry and Deletion Artifacts
We also examined Windows ShellBag registry entries (which record folder navigation history) and the Windows Recycle Bin artifacts. The Recycle Bin was entirely empty — no case documents had been deleted and placed there. The ShellBag records confirmed normal user access to the document folders, consistent with reviewing the files rather than manipulating them.
What We Found
Six independent evidence sources, all telling the same story:
- Cryptographic hash verification — All hashes match reference values exactly
- PDF internal metadata — All consistent with authenticated origins; no edit signatures detected
- Filesystem timestamps — All 325 files share download-day timestamps; none modified since
- Shell Link (LNK) records — Archive confirmed unmodified across every access event
- Recycle Bin — Empty; no documents deleted
- Registry (ShellBags) — Consistent with normal folder access; no anomalies
Every layer of evidence told the same story: the documents had been downloaded once, on a specific date, and had not been touched since. The finding corroborated the conclusions of the independently prepared reference report, which had reached the same conclusion through a different approach.
"The finding was consistent across six independent evidence sources. When that many independent lines of evidence agree, the conclusion becomes very hard to challenge."
Why Multiple Evidence Layers Matter
Any single piece of evidence can theoretically be challenged. Timestamps can be manipulated. Metadata can be edited. Individual artifacts can be questioned. But when six independent sources — each recorded by a different mechanism, stored in a different location, and examined with a different tool — all arrive at the same conclusion, the story becomes extremely difficult to dispute.
This is the core principle behind layered forensic analysis: not just finding one answer, but finding the same answer through multiple independent paths. The more evidence converges, the stronger the conclusion.
In this case, the convergence was complete. Cryptographic mathematics, PDF internal metadata, filesystem records, operating system artifacts, and registry data all agreed. The documents were authentic and unaltered.
What This Means for You
Whether you're in litigation, responding to a regulatory inquiry, conducting an internal investigation, or simply trying to verify the integrity of records you've received, digital forensics can answer the question definitively — not with guesswork, but with evidence.
The methods described here work on any Windows computer, for any document type, and produce findings that can be presented in legal proceedings. If the question is "were these files changed?", forensic analysis is how you get a defensible answer.
Need to verify document integrity? Data Rescue Labs conducts forensic examinations for legal matters, internal investigations, and corporate due diligence. Our findings are documented in formal reports suitable for court or regulatory use. Contact us to discuss your case.