The Art of Practice Innovation

Investigating Deepfakes and Falsified Evidence: Practical Steps for Scrutinizing Suspicious Content

From altered media to fabricated digital records, Generative AI is making false evidence easier to produce – and harder to detect. Digital Forensics expert, Dr. Tristan Jenkinson outlines the signs that should trigger concern and the techniques that can help determine whether those red-flag files are authentic.

BY Dr. Tristan Jenkinson Feb. 23, 2026
Person in a suit (only their torso and arms visible) holds a magnifying glass over a tablet from which bits of code and data are emanating

Falsified documents are nothing new. Since humans have been recording information for posterity, others have been falsifying information for gain. When documents became electronic, so did their falsified counterparts. The advent of generative AI provided benefits in diverse and varied areas – unfortunately including the falsification of evidence.

Generative AI led to a significant increase in the ease of creation and the quality of deepfake content – typically multimedia content which has been fabricated or manipulated using generative AI. However, generative AI has also had an impact on falsified evidence – it can provide guidance and methodologies to create falsified content in non-multimedia files such as Word documents, PDFs, spreadsheets, etc. Some generative-AI systems can and will generate falsified files for you or allow you to use it to perform manipulation – to change dates and times stored in the files for example.

As awareness grows around the issue of deepfakes and falsified evidence, experts have identified red flags for which lawyers should be on the lookout, along with practical approaches for investigating such content.

Red Flags

There are several indicators that evidence submitted in a case may be worth taking a deeper look at, including:

  • Smoking gun evidence. If someone falsifies a piece of evidence, it must be worth the risk of being caught. This means that, in most cases, a falsified document is a piece of evidence that proves a key point in the case, by itself. If a case may be decided on a single piece of evidence, you likely want to make sure that piece of evidence is legitimate.
  • Late arrivals. Falsified evidence is often provided late in a case. One of the most common reasons for this is that it provides you with little time to investigate it for indicators of falsification. Another reason is that an individual may only consider that they may lose when already at trial. They may feel that they need additional evidence to tip the balance.
  • Evidence in solitude. Has a file been referred to or mentioned before? Evidence does not typically exist in a vacuum. Even if an email, document or video could not be located, you would expect witnesses to mention their belief that it exists. If new questionable evidence appears, the existence of which has never been mentioned or referred to before, that can be an indicator that it may not be as appears.
  • Files in non-native format and convoluted explanations. Sometimes files are provided in a different format from how they would normally be stored – for example, a Word document might be provided as a PDF, or an email might be provided as a physical printed copy. This may be done to limit analysis of the original file’s metadata, which might demonstrate that the file had been falsified. An explanation why the file was not provided in its native format would normally be expected. Where the file has been falsified, these reasons are often very convoluted and may well contain contradictions.

Simple Steps for Investigating

  • Inconsistencies – Though an obvious place to start, check documents for inconsistencies. These may be with respect to other areas of the document itself, other testimony or other evidence in the case. Particular attention should be paid to historical inconsistencies. For example, a falsified document may use current company addresses, logos, headers, footers, etc., rather than those from the appropriate time. Having legitimate files from the same period can be really useful for comparison in this sort of analysis.
  • Questionable dates – Does the document contain dates that do not exist (31 April, etc.)? Alternatively, are days of the week consistent with the date? For example, there may be a reference to Tuesday 20 November 2025, but 20 November 2025 was a Thursday, not a Tuesday. Other date issues to keep an eye out for include actions that took place on weekends or statutory holidays which would be unusual.
  • Cross-referencing – If there are references to calls or meetings, can they be found in a work calendar (likely linked to email) of individuals who were present? If other documents are referenced, have they also been provided and analyzed?
  • Multiple file indications – Where multiple files have been falsified (for example a series of invoices or emails), dates and times can be really helpful. One issue to look for is where multiple suspect files have different dates, but their times are in close proximity. For example:
    • 10 October 2012 at 09:54
    • 11 November 2012 at 09:57
    • 09 December 2012 at 10:03
    • 13 January 2012 at 10:12

One way that people try to falsify dates on documents is to change the date on their computer clock, and save the document. Rarely do they change the time in these instances, and so we see these series of close events, but with dates far apart.

A Word of Warning

Metadata from files can provide very helpful indicators of alterations – for example, created and last-modified dates, as well as the users who created or last modified the file in some cases.

Significant care should be taken when interpreting the metadata from files. There are many rules and complications as to when values are set or updated. There are also instances where the most intuitive explanations are not the correct ones. The Date Created value may not be the date on which the file was created, the Date Last Printed does not mean the date on which the document was last printed. Files can legitimately have last modified dates that are before their creation date.

For this reason, when considering metadata, if something does look or feel off, it may be worth discussing with a digital forensic expert, especially prior to any allegations of potential wrongdoing being made in a legal case.

Additional Thoughts for Suspected Deepfakes

Consider provenance. If audio, video or images are provided that are suspicious, one approach is to ask for their provenance. If they are legitimate files, then they must have been recorded on some device. In my experience, in recent years, most such files would be created on a mobile phone.

In this case, further details can then be requested, such as the make and model of the device used to perform the recording. This information can then be used to check that the file is in the correct format, as well as other checks on consistency. For example, for a photograph, if the make and model of the phone is known, you can check that the image is in the correct format, the correct aspect ratio, the pixel count and depth, as well as comparing the metadata of the photo to see if it is consistent with being created with that device.

For video and photographs, the location where the recording was allegedly made can also be helpful. You can check that the background in the recording is consistent with that location. Care should be taken, especially with alleged historic recordings as locations may have changed since the time of the alleged recording.

Experts

Deepfake technology has advanced to the point that it is simply not possible to identify fakes using the human eye. Automatic detection tools are also often unreliable, and their use in legal proceedings may be limited. Where there is possible falsification of evidence in legal cases, legal teams have turned to experts in digital forensics. Digital forensic methodologies and approaches have long been used for the analysis of falsified evidence, were established and developed over years, and can be similarly applied to investigate alleged deepfaked content.

If you do have suspected deepfaked data, or other potentially falsified evidence, consider if you would benefit from using an expert. As well as experience in the analysis of falsified files and recordings, an expert would have an understanding of metadata, and of extracting additional information not readily accessible to typical users.

Experts can also use additional methodologies by analysing files and data from a technical perspective. This might include analysis of the logical structure of a file, utilizing embedded or encoded information within the file itself, or using information such as the software version or build numbers.

Experts may also be able to provide formal documentation for use in court, or give testimony in a case regarding the apparent authenticity, or otherwise, of suspect files.

Author_TJenkinson Dr. Tristan Jenkinson

RELATED ARTICLES

Head-shot photo of OBA President Katy Commisso in light grey, short-sleeved blouse, smiling into camera
President's Message President’s Message: Empowering Your Most Meaningful Transitions in Life and Law

For lawyers entering unknown territory in their professional or personal lives, who better to instill the confidence and intelligence to carry them forward than fellow lawyers who’ve forged similar paths? Amplifying the voices of experience in the interests of supporting members making bold moves is a key component of my Transitions in Life and Law mandate and one that is gaining great momentum.

BY Katy Commisso
Illustration on a blue background of the outline of a human head in profile overlaid on a fanned out assortment of file folders of different colours
In-Depth Supporting Neurodiverse Individuals in the Court System

Going to court is anxiety-inducing for almost anyone. Fears of the unknown, of coming across poorly, of hard-to-follow rules or harsh repercussions frequently plague first-time participants. But for neurodiverse individuals, this anxiety is compounded by particular challenges the justice system presents to those who process information differently. Fortunately, there are systemic changes and supports that can both build inclusion and better accommodate neurodiversity.

BY Emily Sinkins