Forged Documents

I’ll give you a clear, practical playbook you can use right now to gather and preserve proof that a paper or digital document is forged. I’ll cover what to look for, how to preserve evidence so it’s legally useful, what tests experts run, and concrete templates you can copy (chain-of-custody log, email to police/expert). I’m not a lawyer — if this leads to criminal/civil action you should also contact a lawyer and the police in your jurisdiction.

Quick principles (do these first)

  1. Don’t alter the original. Never erase, annotate, or fold the suspect original. Any change damages admissibility.
  2. Preserve chain of custody. Record exactly who had the document, when, and where. (Template below.)
  3. Make high-quality copies, but keep the original safe. Photograph and scan at the highest resolution possible. Store originals in a sealed envelope or plastic sleeve.
  4. Note context and witnesses. Jot down when/where you got the doc, who gave it, and any witnesses; obtain written statements if possible.
  5. Stop communication with the suspected forger. Keep all messages, emails, WhatsApp chats, calls records and metadata. Don’t destroy or edit them.

What to collect — paper documents

  • Original document (the single most important item).
  • High-res photographs: flat, perpendicular, include a ruler/scale, take close-ups of signatures, stamps, seals, dates, watermarks. Use natural daylight or a bright, even lamp.
  • High-resolution scans (300–600 DPI or higher). Save as TIFF or PDF/A if available.
  • Copies/documents related: any earlier versions, emails attaching the doc, printouts, fax headers.
  • Physical context: envelope, postmark, sticky notes, stamps, receipts, any handling marks.
  • Witness statements: short signed statements from anyone who saw the document created, signed, handed over, or notarized. Include date/time/place.
  • Chain-of-custody log (see template below).

What to collect — digital documents

  • Original electronic file(s) (Word, PDF, image) — don’t open and re-save; work from copies.
  • Email headers and full messages (showing sender, timestamps, IPs when possible).
  • File metadata (file creation/modification timestamps, author fields, PDF/XMP metadata, printer/producer strings).
  • Version history (Google Docs revision history, SharePoint/Dropbox logs).
  • Server logs or hosting records if available.
  • Hashes: compute a SHA-256 (or SHA-1) hash of the original file and store that checksum to prove later versions changed. Example command lines you can use locally:
    • macOS / Linux: sha256sum suspect.pdf
    • Windows (PowerShell): Get-FileHash .\suspect.pdf -Algorithm SHA256
      Save the hash in writing and attach to your chain-of-custody.

Signs of forgery to note (what experts check)

  • Handwriting/signature inconsistencies: stroke direction, pressure, rhythm, letter forms.
  • Inconsistent ink or pen types: different inks or inks that don’t match the claimed signing time.
  • Altered dates or numbers: different fonts, misaligned text, overwritten numerals.
  • Typeface / font mismatch in supposedly original print (e.g., modern font with old-looking date).
  • Paper stock / watermark mismatch: weight, fiber, and watermark inconsistent with expected source.
  • Stamp/embossing anomalies: partial impressions, misaligned seals, smudging.
  • Digital red flags: metadata showing different author/creation dates, edits after the claimed date, inconsistent PDF producer strings, or suspicious OCR layers.
    Document these visually (photos + notes).

Technical tests forensic examiners use

  • Handwriting/signature analysis by a forensic document examiner (graphologist/forensic handwriting expert).
  • Ink analysis (e.g., thin-layer chromatography) to identify ink types and whether writing was added later.
  • Paper/fiber analysis and watermark verification.
  • Electrostatic detection (ESDA) for indentations showing earlier writing.
  • Spectral/infrared imaging to reveal erased or overwritten content.
  • Digital forensics for files and metadata, file system timestamps, log analysis, email tracebacks, and cryptographic hashing.

How to engage experts & authorities

  1. Contact a certified forensic document examiner (look for credentials and courtroom experience). Ask for a written, signed report describing methods and conclusions.
  2. Contact a lawyer experienced in fraud/forgery — they’ll advise on criminal complaint vs civil claim.
  3. File a police report (bring originals, copies, chain of custody, witness statements). In Spain you’d go to Policía Nacional, Guardia Civil, or the local police depending on context — the police can seize evidence and open criminal proceedings.
  4. Preserve digital logs by exporting them (emails, cloud service logs) and ask providers for official records if needed (subpoena through lawyer/police may be required).

Chain-of-custody log (copy this)

CHAIN OF CUSTODY LOG — Suspected Forged Document

Document ID: [unique ID or short name]
Description: [type of document, e.g., "Notarized property sale contract"]
Date document obtained: [YYYY-MM-DD]    Time: [HH:MM]
Obtained from (name/contact): [name, relationship]
Location obtained: [address/place]
Condition on receipt: [e.g., flat, folded, sealed envelope, stains, tears]

Item stored in: [e.g., sealed envelope #1, plastic sleeve, drawer]
Storage location: [address or secure location]

Record of transfers:
1) Date: [YYYY-MM-DD] Time: [HH:MM]  From: [name]  To: [name]  Purpose: [e.g., photographed]
   Method: [hand-delivered/courier/emailed copy]
   Notes: [observations]

2) Date: ... (continue for every transfer)

Digital file handling (if any):
- Original filename: [filename.ext]
- Hash (SHA-256): [hexadecimal hash]
- Where original file stored: [path or device]
- Copies made (who, when, why): [details]

Signed by person responsible: ____________________  Date: __________

Example email to police / forensic examiner (paste & edit)

Subject: Possible Forgery — Request to Open Investigation / Expert Examination

Body:

Dear [Officer / Dr. Surname],
I am writing to report a suspected forged document and to request [police investigation / forensic examination]. Summary: on [date] I received [document type] that purports to be [what it claims]. I have attached photocopies and preserved the original. Key concerns: [short bullet list of suspicious features — signature appears inconsistent, date overwritten, suspicious metadata].
I have preserved chain-of-custody logs and can bring the original to [police station / your lab]. Please advise the next steps. I am available at [phone/email].
Regards,
[Name, address, contact]

Handling digital evidence safely

  • Work from copies. Create and store checksums.
  • Export full email headers (not just the visible body). In Gmail: “Show original” → download.
  • If a cloud service (Google/Dropbox) is involved, request account activity logs (lawyer/police can request provider records).
  • If the document was printed, see if print headers or printer spool logs exist (corporate IT can help).

What you should not do

  • Don’t try to “improve” low-quality scans or open in unknown tools that rewrite metadata.
  • Don’t let other people handle or “test” the document without logging it.
  • Don’t publicly accuse someone before you have evidence — this can create legal exposure for you.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.