Skip to main content
Metadata & Other Fraud Detectors

Learn how to interpret fraud signals

Daragh McMeel avatar
Written by Daragh McMeel
Updated over a year ago

If the data within a document are all the things you see when you open it — the words and the images that make up the document — then the metadata is everything else. This can vary depending on the filetype, from data like creation and modification dates, location information, and what software was used to create the file; to the make and model of the image capturing device for a picture; to the file history of PDFs.

When metadata looks suspicious, a signal will appear in the Fraudulent Signals box. Clicking on the signal will display the full file metadata, together with a summary of anything suspicious we've found. 

See the table below, to better understand why the various metadata signals appear and more details about how to interpret each signal.

Result

Severity

Details

Visual

Action

Date Mismatch

Low

Indicates when a document has been edited after it was created.

It is not strong enough to reject on its own and should be used in combination with another signal.

Malformed Date

Impossible dates like 13/13/2017 are sometimes present in documents which have been tampered with, or which have been created with tools which are not correctly configured. The presence of a malformed date is similar to that of a date mismatch, in that it is best regarded as supporting evidence that a document has been tampered with.

Software

Med

Indicates the software used to create the document.

If a software package such as Adobe Photoshop appears, you should reject the document.

Date mismatch
Inscribe automatically extracts and compares the creation, modification, and metadata dates of all submitted documents. If any of the dates disagree, this will be shown to the user. Sometimes dates may disagree simply because the tool which created the document has not been configured correctly. For this reason, a date mismatch is best regarded as supporting evidence that a document has been tampered with.
Sample output: "Creation and modification dates do not match"

Software
Inscribe is able to identify what software tools were used to create or modify a document, and maintains a blacklist of suspicious tools. If any tools on the blacklist were used to create or modify the submitted document, this will be shown to the user.
Sample output: "Produced with Adobe Photoshop"

Malformed date
Impossible dates like 13/13/2017 are sometimes present in documents which have been tampered with, or which have been created with tools which are not correctly configured. The presence of a malformed date is similar to that of a date mismatch, in that it is best regarded as supporting evidence that a document has been tampered with.
Sample output: "Document has malformed date in metadata"

Edited after scanning
When the text of a scanned document is edited, software must be used to recognise the characters and fonts present. This leaves evidence in the metadata of the file, and in the font information of the file. If either of these pieces of evidence is present, this will be displayed in the metadata signal.
Sample output: "Metadata indicates file has been edited during scanning process"
Sample output: "Font information indicates file has been edited during scanning process"

Added text
Some software tools keep compressed descriptions of what edits have been made within the metadata, including what text has been added. If any added text is documented in the metadata, this will be displayed in the metadata signal.
Sample output: "Text added: 123 Fake Street"

Edited metadata
Since we rely on the metadata to detect tampering, we also check that the metadata itself has not been tampered. If the metadata has been changed with a metadata modification tool, Inscribe will undo all changes made and show the original metadata. This information will be displayed in the metadata signal.
Sample output: "Metadata edited with exiftool. Showing original metadata"

Did this answer your question?