How to Verify a Leaked Document: 7 Forensic Checks Before You Cite It
By Soren Vega ·
- osint
- documents
- verification
- leaks
A leaked PDF is one of the most dangerous artifacts in open source work — easy to fake, hard to verify, and emotionally sticky. Seven forensic checks that move a document from 'interesting' to 'cited' without inheriting someone else's mistake.
How to Verify a Leaked Document
A leaked document lands in your inbox or your feed. Maybe it is a PDF. Maybe it is a set of scanned images. Maybe it is a stack of internal emails. Before you cite it, forward it, or write about it, run it through seven checks. The order matters — start with the file, end with the chain.
A failed check is a finding, not a failure WarningA leaked document that fails one of these checks is not necessarily a forgery. It might be a real document that has been redacted, re-saved, or re-shared with a new cover page. The honest write-up is "the document claims X, but check Y failed" — not "the document is fake." The failure is a finding about the chain, not a verdict on the content.
Check 1: Read the file's metadata
Right-click the PDF and look at its properties. The metadata includes:
- Author. Real documents often have a real author's name, or a generic "Administrator." A name you do not recognize is a yellow flag.
- Creator and Producer. The software that made the file. Microsoft Word, Adobe InDesign, LaTeX, and a few other tools leave specific fingerprints. A "leaked" document claiming to be a private company's internal memo, but produced by an open-source PDF editor, is a finding.
- Creation and modification dates. The date the file was created on the device, and the date it was last modified. These can be set to anything, but most forgers do not bother.
- Page count, file size. A "2,000-page internal report" that is 200 KB is suspicious. Real long PDFs are larger.
Compare metadata across multiple leaked files TipIf you have several documents from the same alleged source, compare the metadata. A real set of internal documents tends to be produced by the same software, on the same kind of device, by a small number of authors. A forgery set often has heterogeneous metadata — different software, different authors, different dates.
Check 2: Read the typeface, the layout, and the line breaks
A "leaked" PDF whose body is set in a font the alleged author does not normally use is suspicious. So is a document whose line breaks are off, whose headers and footers are inconsistent, or whose margins are wider than the company's standard.
What to look for:
- The font. Real internal documents from a large organization use a standard font. A leaked document in Comic Sans is suspicious.
- The line spacing. Real documents are set at a consistent line height. A leaked document that switches line heights between pages has been re-typed.
- The page numbers. Real internal documents have a coherent page-numbering scheme. A leaked document that jumps from page 12 to page 87 is suspicious.
- The headers and footers. Real internal documents have a consistent header or footer. A leaked document that omits them on some pages has been edited.
Check 3: Read the language and the grammar
A real internal document from a real organization has a tone. A leaked document that suddenly switches tone, that uses vocabulary the alleged author would not use, or that contains phrases lifted from a news article is suspicious.
What to look for:
- Internal jargon. Real documents use the company's internal jargon. A leaked document that uses the public-facing language of the company's website is suspicious.
- Spelling and grammar. A document from a US office that uses British spelling, or vice versa, is unusual. A document that switches spellings between sections is a finding.
- Time-sensitive language. A document from 2018 that uses a phrase that did not enter common use until 2022 has been re-dated.
- Translation artifacts. A document that reads like a translation, with awkward phrasing or unusual word choices, may be a translation of a real document — or it may be a forgery written by a non-native speaker. The original is the version to verify.
Check 4: Cross-check the named entities
A real internal document names real people, real departments, real projects, real products. A leaked document that names entities you cannot confirm is suspicious. A leaked document that names entities you can confirm against other public sources is much stronger.
- People. Are the named people still at the company? In the role claimed? Public LinkedIn, archived press releases, and conference speaker bios are good sources.
- Departments and products. Are they named the way the company names them publicly? A leaked document that uses the public brand name for a project the company internally calls by a code name is suspicious.
- Dates and dollar amounts. Do the dates line up with public events? Are the dollar amounts in the right order of magnitude?
Check 5: Match the content against independent reporting
The strongest single check: does the document's content match what other outlets have independently reported? A leaked document that names a project, a person, or an event that no other outlet has covered is suspicious. A leaked document that names entities that have been covered by reputable outlets is much stronger.
This is also where the document's value as a story lives. A leaked document that confirms what we already suspected is more credible than a leaked document that breaks entirely new ground, because the prior coverage is independent corroboration.
Check 6: Search for a distinctive sentence
Take a distinctive sentence from the document — one that contains a specific fact, an unusual phrase, or a memorable turn of phrase — and paste it into a search engine in quotes. The search will return:
- Other copies of the leaked document. If the same sentence appears on dozens of sites, the document is widely distributed.
- The original source of the sentence, if it was lifted from a public document. A "leaked internal memo" whose distinctive sentence was actually published in the company's 2019 annual report is a forgery.
- Nothing, if the sentence is original to the document. That is the strongest case for the document being real — but only if combined with the other checks.
The most useful sentence is the most boring one TipA specific number, a specific date, a specific name. The kind of sentence that would not be memorable enough to be invented. If a search for that specific sentence returns nothing, the document has not been recycled and is not a direct paste from a public source.
Check 7: Trace the chain of custody
Finally, ask: where did this document come from, and who has handled it along the way? The chain of custody matters for two reasons:
- A real leaked document is usually traceable to a specific inbox, a specific source, a specific time. A document with a vague origin ("shared widely on social media") is harder to verify.
- A document that has been edited after the leak is not the original. If the version you have was re-saved by an intermediary, the file's metadata and content may have changed.
A useful write-up: name the chain in plain language. "The document was first shared by account X on date D. We obtained a copy from archive Y. The version we have matches the version in archive Y, including a typo on page 4 that was corrected in later copies." That sentence is what makes the rest of the citation defensible.
When you are done
After all seven checks, the document is in one of three states:
- Verified. Multiple independent corroborations, a coherent chain, a plausible file. Cite it.
- Partially verified. The named entities check out, but one or more forensic checks failed. Cite it with the caveat. "The document was edited after the leak; the page-2 numbers do not match the page-5 numbers."
- Unverified. Multiple checks failed, or the chain is too vague. Do not cite. Note the document and the failure, so a future researcher can pick up the thread.
Frequently Asked Questions
How do you verify a leaked document is real?
Run seven checks in order: the file's metadata, the typeface and layout, the language and grammar, the named entities against public records, the document's content against independent reporting, a search for any distinctive sentence, and the chain of custody. Any single check that fails should pause the citation, not stop the project — but the failure should be on the page.
Can a PDF be forged?
Yes. PDFs are easy to edit with off-the-shelf software, and the visible result is indistinguishable from a real document. PDF metadata is also editable. Verification of a leaked document is not about the file format — it is about the document's content, its named entities, and its provenance.
Related Guide
Open Source Intelligence