# Tampering
In a KYC/KYB system, "document transformations" are high-risk moments. Tampering often occurs when a user converts a file (e.g., "Print to PDF") or edits it using consumer software. To maintain financial-grade integrity, you must verify both the Digital Forensics (the file's DNA) and the Visual Consistency (the file's appearance).
Here is the checklist of what your AdonisJS backend and Vue frontend should verify to detect tampering.
***
### 1. Metadata Analysis (The "Digital DNA")
Metadata is usually the first thing a fraudster forgets to scrub. Your backend should parse the file's properties for "Red Flags."
* Software "Producers": Genuine bank statements or government PDFs are generated by enterprise systems (e.g., *Oracle Financials*, *Finacle*, *IText*). If the metadata shows "Adobe Photoshop," "Canva," "SmallPDF," or "Preview," it is a high-probability tamper.
* Timestamp Mismatches: On a genuine document, the `Creation Date` and `Modification Date` should be identical or very close. If the modification date is weeks after the creation date, the file has been opened and re-saved.
* Author/Usernames: Check if the PDF "Author" field matches the customer's computer name or, worse, a known "Document Template" seller.
***
### 2. PDF Structure & Font Forensics
Fraudsters often "layer" new text over an existing document.
* Font Inconsistencies: Banks use highly consistent typography. If the "Balance" amount uses a slightly different font weight, size, or spacing than the "Transaction" text, it's a "Copy-Paste" job.
* Non-Embedded Fonts: If a PDF contains fonts that aren't "Embedded" or "Embedded Subset," it often means the text was added by a local machine rather than the bank's server.
* Invisible Layers: Sophisticated tools can detect "Hidden Text" or white boxes placed over original numbers. In your Vue viewer, you can implement a "Scan for Hidden Layers" toggle that highlights overlapping elements.
***
### 3. Visual & Forensic Image Checks
For scanned IDs (KYC) or Photos of documents, you need to check the Pixel Integrity.
* Pixel Noise (Compression Artifacts): When an image is edited (e.g., changing a "3" to an "8"), the "noise" or grain around that specific character will be different from the rest of the page.
* Copy-Move Detection: Look for identical patterns in the "noise." Fraudsters often clone a "0" from one part of a bank statement and paste it into the "Total" column.
* Edge Detection: Check the edges of the photo on an ID card. If the pixels around the headshot are "too sharp" compared to the rest of the card, the photo was digitally swapped.
***
### 4. The "Four-Eyes" Verification Checklist
In your Vue FE, provide the Analyst with a Tamper Checklist that they must manually confirm:
| **Checkpoint** | **What to look for** |
| -------------- | -------------------------------------------------------------------- |
| Logic Check | Do the line items actually sum up to the "Total" shown? |
| Logo Quality | Is the bank logo blurry or pixelated compared to the text? |
| Alignment | Are the numbers in the "Amount" column perfectly vertically aligned? |
| Template Match | Does this statement match the known layout for "Chase Bank" in 2026? |
***
### 5. Implementation in AdonisJS
You can use a Node.js library like `pdf-lib` or `exiftool-vendored` to extract this data during the upload process.
TypeScript
```
// Example: Basic Metadata Check in an AdonisJS Service
import { ExifTool } from 'exiftool-vendored'
const exif = new ExifTool()
export async function analyzeFile(filePath: string) {
const metadata = await exif.read(filePath)
const redFlags = []
if (metadata.Software?.includes('Photoshop')) redFlags.push('EDIT_SOFTWARE_DETECTED')
if (metadata.CreateDate !== metadata.ModifyDate) redFlags.push('MODIFIED_AFTER_CREATION')
return redFlags
}
```
### Summary for your KYC Workflow
Every document transformation should be logged in your Audit Trail with its original hash (SHA-256). If a user uploads a file, and then "re-uploads" a corrected version, the system should flag it for a "Manual Forensic Review" by a Senior Compliance Officer.
In a KYC/KYB system, the most common "red flag" is a mismatch between the Creation Date (when the bank system generated the PDF) and the Modification Date (when the user opened it in Acrobat/Photoshop to change a number).
To do this in AdonisJS, you should use `exiftool-vendored`. It is the gold standard for reading deep metadata that simple libraries often miss.
#### 1. Install the Forensic Tool
Bash
```
npm i exiftool-vendored
```
#### 2. Create a Forensic Service
This service will take the uploaded file from your Adonis controller and return a "Risk Score."
TypeScript
```
// app/Services/DocumentForensicsService.ts
import { ExifTool } from 'exiftool-vendored'
const exif = new ExifTool()
export default class DocumentForensicsService {
public async analyze(filePath: string) {
const metadata = await exif.read(filePath)
const redFlags: string[] = []
// 1. Check for Editing Software
const software = metadata.Software || metadata.Creator || ''
const forbiddenTools = ['Photoshop', 'Illustrator', 'Canva', 'SmallPDF', 'Nitro', 'Preview']
if (forbiddenTools.some(tool => software.includes(tool))) {
redFlags.push(`EDIT_SOFTWARE_DETECTED: ${software}`)
}
// 2. Check for Date Mismatches (The "Smoking Gun")
const created = metadata.CreateDate?.toDate()
const modified = metadata.ModifyDate?.toDate()
if (created && modified) {
// Allow a 60-second window for system processing lag
const diffInSeconds = Math.abs((modified.getTime() - created.getTime()) / 1000)
if (diffInSeconds > 60) {
redFlags.push(`DATE_TAMPER_SUSPECTED: Modified ${diffInSeconds}s after creation`)
}
}
// 3. Check for Missing Fonts (Signs of a "Flat" copy-paste)
if (metadata.PDFVersion && !metadata.Fonts) {
// High-end financial PDFs almost always have embedded font subsets
redFlags.push('FLATTENED_PDF_DETECTED: No internal font structures found')
}
return {
isSuspicious: redFlags.length > 0,
redFlags,
metadata: {
software,
created,
modified
}
}
}
}
```
***
#### 3. Integrate into your Adonis Controller
When the user uploads the document via your Vue frontend, the controller runs the check before saving the case.
TypeScript
```
// app/Controllers/Http/KycDocumentsController.ts
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import DocumentForensicsService from '#services/DocumentForensicsService'
export default class KycDocumentsController {
public async upload({ request, auth }: HttpContextContract) {
const file = request.file('kyc_document')
if (!file) return
// Move file to tmp for analysis
await file.moveToDisk('tmp')
const filePath = `./storage/tmp/${file.fileName}`
const forensics = new DocumentForensicsService()
const report = await forensics.analyze(filePath)
// Save to Database
const doc = await KycDocument.create({
tenantId: auth.user!.tenantId,
fileName: file.fileName,
riskScore: report.isSuspicious ? 'HIGH' : 'LOW',
forensicNotes: JSON.stringify(report.redFlags)
})
return { doc, report }
}
}
```
***
#### 4. Visualizing the Result in Vue
On your "Checker" screen (the Analyst view), you can now highlight these flags.
Code snippet
```
Potential Tampering Detected
```
#### Why this works:
1. Hard to bypass: A fraudster would need to use command-line tools to manually rewrite the EXIF `ModifyDate` to match the `CreateDate` exactly. Most scammers don't go that deep.
2. Modular: You can add a new check (like "Check for low-resolution logos") to the `analyze` method without touching your frontend.
3. Auditable: Because the `redFlags` are stored in your DB, you can prove to a financial regulator *why* you rejected a specific customer.
Would you like me to show you how to add a "Pixel Consistency" check? This detects if a small area of an image (like a name or amount) has been altered by looking for "noise" variations.