Graphic design applications are often used for the editing and design of digital art. The same applications can be used for creating counterfeit documents such as identity documents (IDs), driver’s licenses or passports, among others. The products of graphic design applications, however, leave behind traces of digital information which can be used during a digital forensic investigation. Although current digital forensic tools are designed to scrutinise systems with the purpose of finding digital evidence, the tools are not designed to examine such systems specifically for the purpose of identifying counterfeit documents.
This dissertation reviews the digital evidence relating to the creation of counterfeit documents and gathered from graphic design applications. Digital evidence gathered in this way consists mainly of identifying and corroborating the counterfeiting events that occurred on a particular system. Firstly, such an analysis is accomplished by establishing linkages between the digital forensic information that has been gathered and the specific actions that were performed when the counterfeit documents were created. Such actions comprise scanning, editing, saving, and printing. The researcher is able to compile a dossier of the digital forensic information that is generated by such actions by analysing the files that were generated by making use of a particular graphic design application for document creation. Secondly, the researcher extends the analysis to the actual files created by the application user. These files can be used as evidence to establish linkages between the content of the counterfeit documents that are being investigated and the document editing actions that are necessary for creating such documents. The researcher gathers digital forensic information of this kind by analysing the different file types that are associated with these applications. The researcher then gathers the associated timeline evidence separately by means of a third analysis that identifies timestamps from the application’s system files and evidence files. The researcher is then able to draw a timeline from the timestamps to illustrate the sequence of events that occurred. From the digital evidence gathered in this way it is possible to propose a two-pronged counterfeiting investigation process. This proposed investigation process is application and platform independent. The researcher concludes the study by transforming the model into a working prototype by demonstrating how the prototype is capable of analysing and extracting digital forensic information from certain graphic design application file types and log files. Such a prototype is capable of identifying the system that was utilised for counterfeiting particular documents or identifying whether a specific document is counterfeited or not.