AI-Generated Documents, Deepfake Signatures and Image Manipulation

Generative Adversarial Networks, introduced by Ian Goodfellow and colleagues in 2014, consist of two neural networks trained in opposition: a generator network that produces synthetic samples, and a discriminator network that attempts to distinguish synthetic samples from genuine ones. Each network improves in response to the other's performance, driving the generator toward producing samples that are statistically indistinguishable from the genuine distribution. When applied to handwriting or signature generation with a conditioning input (a reference set of genuine examples from a specific writer), the generator learns to produce novel samples that share the writer's characteristic features: pen pressure variation, stroke velocity, connecting ligatures, letter proportion, and the subtle idiosyncrasies that make a handwriting sample identifiable as belonging to a particular individual.

Academic work on handwriting generation using GANs accelerated significantly from 2019 onward. ScrabbleGAN (Fogel et al., 2020, Bar-Ilan University) generates handwritten text in a specified handwriting style from a text string input. GANwriting (Li et al., 2020, University of Trento and Alicante) conditions generation on a few reference word images. SigGAN and related systems applied the same architecture to signature generation specifically, demonstrating that with as few as 20 authentic signature samples, a model could generate statistically plausible forgeries in the same writer's style. The 2023 Tessella report (UK government-commissioned, covering generative AI threats to document authentication) specifically flagged the emergence of production-quality signature generation as a casework-relevant threat for UK courts within a three-to-five-year horizon.

Diffusion models (Denoising Diffusion Probabilistic Models, Ho et al., 2020; Stable Diffusion, Rombach et al., 2022) represent the current frontier in document image generation. Unlike GANs, which can suffer from mode collapse and training instability, diffusion models are trained by adding progressive noise to real images and learning to reverse the denoising process. Stable Diffusion inpainting can be used to fill a masked region of a document scan (a signature field, a date, an amount) with photorealistic content that matches the surrounding visual context. Adobe Firefly, integrated into Photoshop from version 24.6 (2023), provides a consumer-accessible implementation. From a forensic standpoint, diffusion-inpainted regions present the challenge described in the PDF metadata topic: they carry no prior compression history, do not produce the block-level ELA anomalies characteristic of JPEG copy-paste, and can produce statistically realistic JPEG noise because the denoising step is trained on real JPEG images.

Beyond signature forgery, generative models can now produce entire document images: a mortgage approval letter on authentic-looking bank letterhead, a court order with plausible case number formatting, an academic transcript with a university's visual identity, or a medical report with appropriate clinical terminology layout. The output is typically generated as a full-resolution image file rather than a PDF with live text, because image files do not carry the metadata artefacts that betray AI-generated text (AI writing tool metadata in Word's revision history, model-specific token distributions in the text layer). Presenting the document as a scan of a physical original, generated by a scanner, is a deliberate strategy to shift the examiner's focus toward paper-and-ink authentication rather than digital metadata.

Several specific indicators distinguish AI-synthesised document scans from genuine scans of physical documents. First, noise statistics: genuine scanner noise is additive Gaussian noise that is spatially uniform and independent of image content; it is also consistent with the claimed scanner's noise model for the claimed resolution and bit depth. AI-generated scan noise is learned from training data and may show content-correlated noise patterns (the model learned that certain background textures accompany certain types of document), periodic noise structures, or noise that is inconsistent with a specific scanner model's known point-spread function. Second, font rendering: scanners capture the physical output of a printer, which includes optical point-spread function blurring, ink halftone dots, paper fibre interference, and toner scatter. AI-synthesised text may show fonts that are pixel-perfect at a sub-physical scale, or may show blurring that is too uniform (applied as a convolution layer) rather than the spatially variable blur from a real optical scan. Third, spatial frequency analysis: Fourier analysis of the image can reveal periodic patterns introduced by the upsampling layers in convolutional neural networks (a known artefact of some GAN architectures, detectable as regular peaks in the Fourier spectrum).

NIST's National Software Reference Library and Facial Recognition Vendor Testing (FRVT) programmes have been expanding their scope to include document image authentication evaluation. The 2024 NIST evaluation work on AI-generated content detection (covering synthetic images broadly, including document images) reported that the best-performing detection systems achieved detection accuracy above 85 per cent on standard benchmark datasets, but accuracy dropped below 60 per cent when tested against adversarially generated content specifically designed to defeat the detectors. This finding is critical for casework: a detection system with good benchmark performance may be useless against a motivated, technically sophisticated forger who knows what the detector is looking for.

The field of automatic signature verification (ASV) has produced systems that compare a questioned signature against a reference set on the basis of extracted biometric features: global features such as aspect ratio, stroke count, and normalised area; local features such as curvature at specific trajectory points, pen velocity profiles (for online signatures captured on a tablet), and pressure distribution; and statistical features derived from the spatial distribution of ink pixels. These systems were designed to detect skilled human forgeries against genuine signatures. Their performance against GAN-generated forgeries is qualitatively different: a GAN trained on the genuine writer's signatures optimises its output to match the reference distribution on precisely the features that ASV systems use. In the 2022 SigNet-F evaluation (published by the ATVS Biometric Research Laboratory, Universidad Autónoma de Madrid), GAN-generated forgeries achieved false acceptance rates substantially higher than skilled human forgeries on several ASV systems, meaning the automated system was more likely to accept a GAN forgery as genuine than a skilled human-made forgery.

For offline signatures (ink on paper, presented as scanned images), the forensic examiner's toolkit must go beyond biometric feature matching. Physical examination of the ink and substrate remains valuable: an AI-generated signature is an image of a signature, not a physical signature. If the questioned document is a physical paper document, the presence or absence of indented pen-pressure impressions on the paper, detectable by ESDA (Electrostatic Detection Apparatus), by oblique light examination, or by VSC (Video Spectral Comparator) near-infrared reflectance, remains a reliable physical test. A forger who prints an AI-generated signature onto paper rather than writing it physically will not produce pen pressure impressions, and this absence is detectable by a competent document examiner using established physical methods.

The evidential weight of online signature features (pen velocity, pressure time-series, pen-up/pen-down events captured by a signature tablet) is substantially higher against GAN forgeries, because generating a realistic velocity-and-pressure time-series that matches a specific writer's biometric profile requires a second generative model trained specifically on online signature data from that writer. This is technically possible but requires considerably more data and effort than image-based generation. Courts in Germany (Bundesgerichtshof rulings on digital signature evidence), the Netherlands (NRFC digital evidence guidance), and UK proceedings involving ESIGN-equivalent tablet signatures have generally treated online biometric signature data as more reliable than offline scanned signatures for this reason.

The image authentication techniques described in the PDF forensics topic (ELA, copy-move detection, JPEG ghost analysis) were calibrated against the editing tools available when they were developed: JPEG-based copy-paste in Photoshop CS2 through CS5, GIMP 2.x, and early mobile editing applications. Modern compositing pipelines introduce three categories of manipulation that defeat these classical methods.

Content-aware fill and generative fill (Photoshop Neural Filters from version 22.0, Generative Fill from version 24.6 using Adobe Firefly, equivalent features in Lightroom and Luminar AI) synthesise new pixel values from a neural model rather than copying pixels from elsewhere in the image. No copy-move detection algorithm finds a match because there is no source region to match. No JPEG ghost analysis reveals a double-compressed patch because the synthesised region was generated fresh and compressed for the first time in the final save. ELA shows low error in the synthesised region because the region has only one compression history, identical to the rest of the image at the final save quality, rather than the elevated error that a pasted region from a different source would show.

Frequency-domain manipulation detection offers a partial countermeasure. The upsampling layers in many GAN and early diffusion architectures introduce periodic artefacts in the image's Fourier spectrum (the CNN fingerprint, also called the GAN spectrum fingerprint). These artefacts were first reported by Zhang et al. (University of California, Berkeley, 2019) and have been confirmed across multiple GAN architectures. Tools implementing this detection (FotoForensics's Fourier analysis view, the open-source GAN fingerprint detector from the LTT lab at TU Munich) can flag suspicious frequency peaks. However, forgers who apply small random noise to the final output, or who process the image through a resizing or sharpening step, can suppress these artefacts.

Neural network-based detection trained on large compositing datasets represents the current research frontier. Models such as TruFor (Guillaro et al., 2023, Federico II University of Naples; developed in collaboration with US and EU research groups), Grag2021 (Gragnaniello et al.), and CNNDetect (Wang et al., 2020, UC Berkeley) achieve 90-plus per cent detection accuracy on held-out forgery datasets. Performance degrades against domain shift (forgeries made with tools not in the training set) and against adversarial attacks (forgeries specifically optimised to defeat the detector). A November 2023 evaluation by the AI Incident Database and the NIST AI Risk Management Framework working group noted that no single neural detector achieves reliable performance across the full range of generative tools available in 2023 production software.

The Coalition for Content Provenance and Authenticity (C2PA) is a standards body co-founded in 2021 by Adobe, Microsoft, BBC, Intel, Arm, and Truepic, now operating under the Joint Development Foundation. The C2PA specification defines a technical standard for attaching a signed provenance manifest to media files (images, video, audio, and documents) at the point of creation, and for maintaining a verifiable chain of that provenance through subsequent editing and publication steps.

A C2PA manifest is a CBOR (Concise Binary Object Representation) data structure embedded in the media file's metadata (in a JUMBF, JPEG Universal Metadata Box Format, for JPEG; in XMP for PDF; in a dedicated UUID box for video). The manifest contains a list of assertions: machine-readable claims about the content's origin and history. Common assertions include the capture device identity (camera make, model, firmware version), the capture time (from a GPS-synced clock), the geographic location, the software tools applied and their version numbers (a Creative Work assertion listing Photoshop operations), and the content binding (a cryptographic hash of the content at the time of each operation in the editing chain). Each manifest is digitally signed by the device or software that produced it, using an X.509 certificate from a C2PA-trusted CA.

The forensic significance is substantial. A camera that implements C2PA at capture (Sony Alpha series cameras from 2024 use C2PA signing on RAW and JPEG output via the Camera Authenticity Initiative partnership; Leica M11-P from 2023 was the first production camera with built-in C2PA signing) produces an image where the capture provenance is cryptographically attested. Any subsequent editing operation in C2PA-aware software (Adobe Photoshop from version 24.6, Adobe Lightroom from late 2023) adds a new assertion to the manifest recording what was done, and the new assertion's content binding covers the state of the image after the edit. The manifest's signature chain can be walked to reconstruct exactly which operations were applied, in what sequence, and by which software, from capture to the version under examination.

For forensic purposes, a document presented with a valid C2PA manifest whose assertion chain shows no editing operations beyond expected colour correction or format conversion is substantially more trustworthy than an identical document without a provenance manifest. Conversely, a document where the manifest chain shows a generative fill operation, an AI tool invocation, or a content binding mismatch (indicating that the file's pixels do not match the manifest's recorded hash at that step) is a positive forensic indicator of manipulation.

The commodification of generative AI tools has three direct implications for questioned document casework over the 2025-2035 horizon. First, the range of actors capable of producing high-quality document forgeries has expanded dramatically. A skilled human forger required years of practice to produce a convincing handwritten forgery; a diffusion model requires only a few reference images and a consumer GPU. This means that document forgeries will become more common across a wider range of casework contexts, including insurance fraud, tenancy dispute documents, academic credential fraud, and small-business contract disputes, not just high-stakes fraud cases.

Second, the balance of evidence in contested-document cases is shifting away from the questioned document toward the surrounding record. A cryptographically protected e-signature, a C2PA provenance chain, a court-admissible platform audit trail from a regulated ESIGN provider, or a physical document with demonstrable pen pressure: these forms of authentication are not affected by advances in generative AI, because they are either cryptographically verifiable or require physical access to the substrate. The examiner's role in AI-era casework increasingly involves assessing the reliability of these authentication chains rather than performing pixel-level image analysis on documents that lack them.

Third, expert testimony in AI-contested document cases must be carefully scoped. The appropriate expert statement is not "this document is AI-generated" (which requires a validated, reproducible detection methodology with a known false positive rate) but rather "this document does not show the physical characteristics consistent with being a scan of a genuine printed and hand-signed original" combined with the specific findings: no pen pressure on ESDA, Fourier anomaly at frequency X, noise statistics inconsistent with a Canon CanoScan LiDE 400 operating at 600 DPI as claimed, and so on. Each specific finding has an established methodology and a defensible error rate. The aggregate conclusion follows from the specific findings, not from a black-box AI detector.

The UK Forensic Science Regulator's Digital Forensics suite and the American Board of Forensic Document Examiners (ABFDE) have both noted the need for updated validation guidelines covering AI-detection methods. The European Network of Forensic Science Institutes (ENFSI) Digital Imaging Working Group published a preliminary position paper in 2024 on the requirements for admitting neural-network-based detection evidence, recommending that such evidence be treated under the same validation framework as any other novel forensic technology: published methodology, peer-reviewed testing data, known false positive and false negative rates, and proficiency testing against blind test sets.

1. Physical examination first
   For any physical paper document, apply ESDA to detect or exclude pen pressure. Examine under oblique light and VSC to characterise ink or toner deposits. A genuine ink signature has different physical properties from a printed or laser-transferred signature, regardless of how convincing it looks to the naked eye.
2. Metadata and provenance audit
   Check for a C2PA manifest and verify its signature chain. Check EXIF for camera identity and timestamp consistency. For PDF documents, run the full incremental-update and signature verification workflow.
3. Compression and frequency analysis
   Apply ELA, JPEG ghost analysis, and Fourier spectrum analysis to the image content. Note that negative results from these classical tools do not exclude AI-generation; they only exclude the specific manipulation types each tool detects.
4. Scanner and device fingerprint analysis
   Apply PRNU (Photo Response Non-Uniformity) analysis to test whether the image carries the sensor fingerprint of the claimed capture device. An AI-generated image will not carry a camera sensor PRNU; a genuine camera original will, provided a reference image from the same device is available.
5. Statistical handwriting feature analysis
   For questioned signatures, extract global and local biometric features and compare with the reference set using validated ASV software. Note that GAN-generated forgeries may pass ASV checks; a positive ASV match is not equivalent to confirming genuineness in a generative-AI context.
6. Neural network ensemble screening
   Apply one or more validated neural forgery detectors (TruFor, CNNDetect, or equivalent) as a screening step. Document the model version, training dataset, and reported false positive and false negative rates. Report the result as a screening indicator, not as a definitive finding.
7. Scope the expert conclusion carefully