Authenticity is not a file property, it is a conclusion reached through forensic examination of evidence and context. For lawyers managing disclosure exercises, evidential challenges and shifting procedural expectations, that distinction is increasingly a practical one.
Historically, documents were often treated as broadly reliable because physical alteration left visible traces. Paper files, ink impressions and even photocopies carried natural constraints that anchored them in time and place. The assumption that documents carry some degree of built-in reassurance no longer holds. Today, documents are born digital, endlessly duplicated, easily altered, and frequently detached from their original context.
In disputes and investigations, the ability to substantiate how and when a document was created can materially affect its evidential weight. Questions of origin, integrity and the reliability of the systems that produced the material are increasingly intertwined with disclosure strategy and case theory, particularly as digital editing and generative AI tools become more powerful and accessible.
This three-part series looks at trust in the digital age from a practical perspective, focusing on the areas that most often arise in contentious matters: documents, chat communications and, increasingly, AI-generated or manipulated media. In this first article, Katarina Zotovic, Associate on S-RM’s Digital Forensics team, examines why trust can no longer be assumed when it comes to digital documents, and how authenticity must instead be established in a clear and defensible way.
What is a ‘document’ today?
The term document has expanded far beyond physical contracts and letters, now including collaboratively edited cloud files, screenshots presented as records, system-generated reports, and files assembled from templates.
Understanding what a document is requires understanding how it came to be. A scanned image may obscure digital edits. A PDF may have passed through multiple applications before reaching its final form. A collaboratively edited file may reflect layers of revision history invisible at first glance.
A simple document presented on screen can therefore be surrounded by a complex technical lifecycle.
What do forensic examiners actually investigate in a document?
Document forensics is not about labelling a file as “real” or “fake”; rather, it is about evaluating the veracity of the claims made about it. That process often involves questions like:
- Who created it?
- When was it created, and when was it last modified?
- What platform(s) was used to create, modify, or otherwise handle the document?
- Have its contents been altered?
- Was it generated natively or derived from another source?
- Does it align with the surrounding contextual evidence?
Each question shifts the analysis beyond the document itself toward the evidential narrative it is being relied upon to support. Where examiners have access to the devices or systems on which the document was created, edited, or stored, the analysis can extend even further, revealing forensic artifacts pertaining to how the document has been handled or shared, and other contextual evidence that helps build a more comprehensive and reliable picture about the document’s lifecycle.
For example, consider that Figure 1 below is an invoice whose authenticity is being disputed.
Figure 1: Disclosed, disputed Invoice
In the absence of any additional disclosed evidence, forensic examiners first conduct a granular review of the document’s metadata to understand what information is available about its lifecycle. Analysis of the document revealed several indicators that modifications had occurred, with one particularly informative element being the revision history.
Figure 2: Excerpt of Figure 1 metadata
In this instance, the revision history indicates that changes to the document have been made – Figure 1 is not the original version but rather a part of a sequence of revisions. This finding naturally raises further questions: firstly, what changed between versions and when; secondly, where are the earlier versions and on what systems might they reside? It also prompts consideration of whether additional documents, drafts, or related files may exist that have not yet been disclosed.
Through the analysis, forensic examiners are able to reconstruct and view the previous versions, though it does not provide visibility into how and when the edits were made, or by whom. However, this finding now provides the basis to request access to the devices on which the invoice has been handled. Further analysis of those systems ultimately leads to the identification of Figure 3: the original invoice.
Figure 3: Original invoice
The difference between the two invoices lies in the sort code and account number. While these may appear to be minor edits of only two characters, such small changes can be difficult to detect during a routine review yet have significant consequences. From a forensic perspective, differences of this nature prompt further examination beyond simply identifying what was changed; the analysis can also focus on who made the edits and when they were made. This information can help reconstruct the document’s editing history, showing how the content evolved from the original version to the disputed one, and whether the changes are consistent with the expected handling of the document.
Forensic analysis in practice
As illustrated in the figures above, metadata is often a starting point in assessing a document’s authenticity. Fields such as creation timestamps, author, and application versions can all provide valuable insight, but they should be treated as a narrative layer rather than definitive evidence.
Importantly, metadata can be altered, stripped, regenerated, or inadvertently overwritten through routine handling. Inconsistencies between fields, or the absence of expected data, can be as informative as any consistent records. This also means, however, that it can be easily misinterpreted. The same field may be populated differently depending on the device, software or workflow used.
The richest insights often come from combining metadata with access to the devices and accounts where the document was handled. In the invoice example, reviewing the revision history flagged that the file had previous versions, prompting forensic investigators to examine the relevant systems to understand the context of the wider narrative and allegations – are these changes legitimate activity or is it evidence to suggest that the document has been tampered with? The forensics team was able to identify who made changes, when they occurred, and whether the document had been transferred, leading to the discovery of the original invoice in Figure 3. By linking internal metadata with external system artefacts, investigators can reconstruct a more complete and reliable picture of a document’s lifecycle.
Conclusion
In today’s digital environment, documents can no longer be assumed to be reliable based solely on appearance. Authenticity must be established through careful forensic analysis of metadata, content, and supporting technical artifacts, as any inconsistencies can reveal subtle indicators of alteration, reconstruction, or complex handling history. Ultimately, forensic investigators do not determine whether a document is authentic in isolation; they assess whether the available technical and contextual evidence reliably supports the narrative presented.
