Learn

How to check whether a PDF is what it claims to be

When a PDF matters — a contract, a pay stub, a bank letter, an invoice — and something feels off, you don't need a forensic lab to learn a great deal from the file itself. A PDF carries records about its own history, and reading them in the right order tells you what the document can and cannot vouch for. Here is the checklist, strongest evidence first, with the honest limit of each step.

1. Check the digital signature, if there is one

A digital signature is cryptography embedded in the file, and it is the only part of a PDF that can be proven rather than merely suggested. If a valid signature is present and covers the whole file, the bytes you have are the bytes that were signed. If content was added after signing, that is detectable with certainty: the signature covers an earlier version, not the file in your hands. Most legitimate PDFs are unsigned, so a missing signature is not suspicious by itself — it just means your remaining evidence is metadata, which is softer.

2. Look for changes after creation

Even without a signature, a PDF records whether it was saved once or many times. A single clean export from the software that made it tells a simple story. Stacked incremental updates, a modification date later than the creation date, or revision history written by an editor all show the file was reopened and re-saved. None of that proves wrongdoing — converters and email systems re-save files innocently — but it tells you the file is not a pristine original, which is exactly what you want to know before relying on it.

3. Read the metadata, and know it can be edited

The producing software, creation and modification dates, author, and title fields say where a file came from and when. A bank statement that traces to a PDF editor instead of a banking system, or a creation date the same week as a dispute, is worth a second look. The crucial caveat: metadata is just data, and tools exist to set any field to any value. Clean metadata is supporting evidence, never proof; contradictory metadata is a stronger signal that something happened to the file.

4. When the file can't settle it, go to the source

Reading the file is fast and free, but it has a ceiling: a careful editor can produce a document whose records look clean. That is why the decisive move, whenever real money or risk rides on the document, is to get it from its origin — the bank's portal, the payroll system, the counterparty's own records — rather than from the person who handed it to you. The file check tells you whether to ask; source verification gives you the answer.

FAQ

Can I tell if a PDF was edited just by looking at it?

Often, yes — from its own records. A broken or absent signature, a modification date after creation, or stacked edit layers are all readable signals. But a skilled edit can leave clean records, so a clean result lowers the odds of tampering without proving the document's story.

Does opening or emailing a PDF change it?

Opening a file to read it does not modify it. Some viewers and email systems re-save files, which can update filesystem timestamps and occasionally the PDF's internal dates without anyone editing the content. The internal records are the more stable history, which is why an examination reads them first.

Is an unsigned PDF a red flag?

No. The large majority of legitimate PDFs are unsigned. An unsigned file simply means your evidence is metadata rather than cryptography, so your conclusions should be proportionally careful.