Copy link to clipboard
Copied
I am examining a PDF document and trying to determine the *earliest* date it could have been created. The original document is lost and the copy has been passed around several times so the file system metadata is useless. Internally in the XMP metadata, there are no data for create/modify dates, but it does list the XMP Toolkit version:
x:xmptk="Adobe XMP Core 5.4-c006 80.159825, 2016/09/16-03:31:08 "
My question is simply this: When was this version released? It looks like September 16, 2016 but I cannot confirm this anywhere. I believe the version release date would establish the very earliest date the PDF could have been created.
Thanks to anyone who can help!
Copy link to clipboard
Copied
The XMP data can vary from file to file, since it depends on the appliacation used to create it, what information are stored into it. if any. So you can find date information in almost every of the subtrees. Most common is XMP Core and xmpMM:history.
Copy link to clipboard
Copied
1. Nothing in a PDF except digital signatures with an outside certification has any forensic value. All of it is trivially easy to fake.
2. For idle curiousity you could use an internal creation date.
3. A great many tasks, which many people consider entirely normal, will completely recreate one PDF from another, so the creation date proves nothing about the actual origin.
4. Adobe may well have been using an XMP version before its formal release date.
Copy link to clipboard
Copied
Much appreciated!
Copy link to clipboard
Copied
One follow up question: Do you believe that an Adobe product could have used an XMP version more than 2 years prior to its formal release date?
Thanks again
Copy link to clipboard
Copied
Read this article by Arman Gungor (forensic examiner): https://www.meridiandiscovery.com/articles/pdf-forensic-analysis-xmp-metadata/
You may want to also look into deep file inspection from In-Quest Labs.
I believe that if you keep dismantling this topic someone may get banned from the forums. That said, I can't post here all of the resourful links that I would love to share, and that may have all the answers to your inquiries.
Your journey, however, should begin with learning how to examine XMP ID's and how to use them as pivot and detection anchors. And that is all there is.
Like Test Screen Name mentioned, there's not a lot useful forensic XMP data, unless you take some serious time to learn how to examine the timezones and compare their offsets with the dates associated when the document was created, then modified , saved, etc . subsequently (explained in more detail in the link I posted for you above).