• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Help interpreting XMP metadata

Community Beginner ,
Aug 24, 2020 Aug 24, 2020

Copy link to clipboard

Copied

I am examining a PDF document and trying to determine the *earliest* date it could have been created. The original document is lost and the copy has been passed around several times so the file system metadata is useless. Internally in the XMP metadata, there are no data for create/modify dates, but it does list the XMP Toolkit version:

x:xmptk="Adobe XMP Core 5.4-c006 80.159825, 2016/09/16-03:31:08 "

My question is simply this: When was this version released?  It looks like September 16, 2016 but I cannot confirm this anywhere.  I believe the version release date would establish the very earliest date the PDF could have been created.

Thanks to anyone who can help!

TOPICS
Acrobat SDK and JavaScript

Views

1.2K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 24, 2020 Aug 24, 2020

Copy link to clipboard

Copied

The XMP data can vary from file to file, since it depends on the appliacation used to create it, what information are stored into it. if any. So you can find date information in almost every of the subtrees. Most common is XMP Core and xmpMM:history.

 

radzmar_0-1598338335503.png

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Aug 25, 2020 Aug 25, 2020

Copy link to clipboard

Copied

1.  Nothing in a PDF except digital signatures with an outside certification has any forensic value. All of it is trivially easy to fake. 

2. For idle curiousity you could use an internal creation date.

3. A great many tasks, which many people consider entirely normal, will completely recreate one PDF from another, so the creation date proves nothing about the actual origin.

4. Adobe may well have been using an XMP version before its formal release date.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Aug 30, 2020 Aug 30, 2020

Copy link to clipboard

Copied

Much appreciated!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Aug 30, 2020 Aug 30, 2020

Copy link to clipboard

Copied

One follow up question: Do you believe that an Adobe product could have used an XMP version more than 2 years prior to its formal release date?

 

Thanks again

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 31, 2020 Aug 31, 2020

Copy link to clipboard

Copied

LATEST

Read this article by Arman Gungor (forensic examiner): https://www.meridiandiscovery.com/articles/pdf-forensic-analysis-xmp-metadata/

 

You may want to also look into deep file inspection from In-Quest Labs.

 

I believe that if you keep dismantling this topic someone may get banned from the forums. That said, I can't post here all of the resourful links that I would love to share, and that  may have all the answers to your inquiries.

 

Your journey, however, should begin with learning how to examine XMP ID's and how to use them as pivot and detection anchors. And that is all there is. 

 

Like Test Screen Name mentioned, there's not a lot useful forensic XMP data, unless you take some serious time to learn how to  examine the  timezones and compare their offsets with the dates associated when the document was created, then modified , saved, etc . subsequently (explained in more detail in the link I posted for you above).

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines