PDF Association logo

Featured articles

Discover pdfa.org

Key resources

Get involved

How do you find the right PDF technology vendor?
Use the Solution Agent to ask the entire PDF communuity!
The PDF Association celebrates its members’ public statements
of support for ISO-standardized PDF technology.

Member Area

REGISTRATION

View the PDF Days Europe 2025 agenda

This presentaton is part of PDF Days Europe 2025.
Register now!

View our terms and conditions.



In Defense of the Incremental Save

PDF Forensics best friend?

Excerpt: Once of the hardest things to prove when examining potentially fraudulent documents is intent. Did a person intend to commit fraud by changing a PDF, or were they simply updating a file as part of normal workflow? This difficulty comes about partly because, no matter who says otherwise, PDF is not a true “fixed format”. It is malleable, changeable, and infinitely editable. Making forensic examination of documents ever more difficult, PDF files are used legitimately in a number of valid workflows … Read more
About the presenter(s)

Cherie Ekholm is a Product Strategy Lead at Verisk. She began working on PDF standards in 2007 while working at Microsoft in the Office business unit. Cherie represented Microsoft in … Read more


Cherie Ekholm
Verisk

Description

Once of the hardest things to prove when examining potentially fraudulent documents is intent. Did a person intend to commit fraud by changing a PDF, or were they simply updating a file as part of normal workflow? This difficulty comes about partly because, no matter who says otherwise, PDF is not a true “fixed format”. It is malleable, changeable, and infinitely editable. Making forensic examination of documents ever more difficult, PDF files are used legitimately in a number of valid workflows where change is expected – optimizing for web view, filling in forms, and adding signatures or notary stamps are just a few examples. How can an examiner better understand what is legitimate workflow, and what is potentially fraudulent?

The PDF format offers a relatively robust way to track changes within documents: the incremental save. Cross-reference tables and streams allow us to track generations of changes within a PDF file. So long as the user or editing tool does not perform a full save (Save As) action, the changes remain available to us and allow us to even rebuild previous generations of many documents. While seeing previous versions may not get us all the way to intent in every document, it certainly gets us a lot closer upon inspection of earlier versions and comparison among those versions.

Unfortunately, fewer and fewer PDF editing tools perform incremental saves. This is problematic.

This presentation will briefly review what incremental saves are and how the cross-reference tables and streams work. Our primary focus will be to show how incremental saves can be used to examine documents. We’ll also touch on other reasons that incremental saves might be your best friend too.


WordPress Cookie Notice by Real Cookie Banner