Skip to main content
K
Kay389613723evo
Participating Frequently
August 7, 2024
Question

metadata analysis and attempting to recreate forensic document

  • August 7, 2024
  • 3 replies
  • 725 views

I am attempting to recreate a pdf document to duplicate what a user has done.

Metadata-wise I used autopsy to view the metadata as document properties in adobe gave me nothing.

I was able to find the following info below (first pic).  HOW was this file created?  Because when I do what I believe the user did - use Adobe Scan on an iOS phone I do not get this metadata at all. I get something else which I will attach below for comparison (2nd pic).  

HOW CAN I RECREATE the first pic pdf?  OR how as it done?

This topic has been closed for replies.

3 replies

A
Ali_h3333
Participant
August 11, 2024

display all data

K
Kay389613723evoAuthor
Participating Frequently
August 25, 2024

THIS IS ALL of the metadata, I believe it has been sanitized AND I believe those adobe scan ios 24.04.16 has been manually added otherwise they would be stripped out by sanitize....ive tested that.  I think this was done to HIDE the applications actually used and mislead

------------------------------METADATA------------------------------
Content-Type: application/pdf X-Parsed-By: org.apache.tika.parser.DefaultParser access_permission:assemble_document: true

access_permission:can_modify: true

access_permission:can_print: true

access_permission:can_print_degraded: true

access_permission:extract_content: true

access_permission:extract_for_accessibility: true

access_permission:fill_in_form: true

access_permission:modify_annotations: true

dc:format: application/pdf; version=1.3

pdf:PDFVersion: 1.3 pdf:charsPerPage: 0

pdf:docinfo:creator_tool: Adobe Scan for iOS 24.04.16

pdf:docinfo:producer: Adobe Scan for iOS 24.04.16

pdf:encrypted: false pdf:hasMarkedContent: false

pdf:hasXFA: false pdf:hasXMP: false

pdf:unmappedUnicodeCharsPerPage: 0

producer: Adobe Scan for iOS 24.04.16

xmp:CreatorTool: Adobe Scan for iOS 24.04.16

xmpTPg:NPages: 1

Amal.
Community Manager
Amal.Community Manager
Community Manager
August 8, 2024

Hi @Kay389613723evo 

 

Hope you are doing well and thanks for reaching out.

 

We have investigated this issue on both iOS and Android platforms. Using Autopsy to analyze the document properties metadata, we found that in both cases, the XMP Creator tool name is displayed as Adobe Scan. Please refer to the attached screenshots for details.

 

For iOS:

 

For Android:

 

Regards
Amal

K
Kay389613723evoAuthor
Participating Frequently
August 8, 2024

HI Amal,

thank you however I believe the document was first edited using something else.  I SHOULD HAVE added the following metadata as well - NOTICE THE SECOND LINE parsed by...what does this mean?

K
Kay389613723evoAuthor
Participating Frequently
August 7, 2024

Is it possible the edited template file (i know it is a template from microsoft invoice templates) that i am trying to get information on, WAS CREATED IN ADOBE ILLUSTRATOR?  Hence the field xmp:CreatorTool: Adobe Scan for iOS 24.04.16?

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices