You'd think by now that everyone—especially those who'd intend forging documents—would be aware of the 'mismatched' font problem but it appears not because it's happened in significant numbers of high profile cases in the past. Simply, these forgers haven't done their necessary homework.
Even with homework done I'd never attempt it for the same reasons that Matthew Garrett outlined in his article.
However, assume a hypothetical case where I had to forge a document what would I do? My first thought would be to obtain a pensioned-off PC complete with operating system, user apps such as MS Office/Word and standard default fonts that was last used a little before the date of my intended forgery.
Obtaining such a PC may seem like a tall order but it might not be as difficult as it seems, but it certainly won't be easy. I say that it's possible by just looking at my own situation. In my shed I have a stack of old PCs gathering dust that haven't been switched on in several decades, no doubt there are many similar piles of junk out there in user-land that can be tapped for a suitable PC.
Next, I'd ensure the PC was not switched on until I'd removed the hard disk and forensically mirrored it to a backup on another PC. The mirrored disk image can then be examined to determine the exact date when it was last used, etc., etc.
Without reinstalling the hard disk and before switching it on I'd disconnect the PC's clock battery and or short out the clock operation so the clock was set to the factory default time (I.e. not set). I'd then switch on and set the date in the BIOS slightly ahead of the last date the PC was last switched on (that date I'll have already determined from my forensic analysis of the mirrored image).
After reinstalling the HD I'd switch on and hopefully I'd have functional PC whose date and time would indicate that it was switched on shortly after the actual time it was last used.
At this point and before proceeding further I'd take another mirror image of the HD and compare it with the original for any gotchas. Unless something goes awry I'll use this second mirror for all future installations and any necessary tweaks.
My next step would be to draft out the forged text by hand on paper. I'd study this text with great care to ensure that I've the precise wording and that there are no references to forward dates or events that could not have happened by the date of the forgery. I'll then sit on the text for 24 hours or more to think about it just to make sure that everything I've written is as 'faultless' as is possible.
Assuming all's well and only then will I switch on the PC and use the installed copy of MSO/Word with one of the common already-installed typefaces such as Ariel or Times New Roman to type my text.
Even then, with all that done, I'd still be shitting myself that I'd not fully covered my tracks!
Note: that's the short version, there are many other intermediate checks too detailed to mention here. Some of these steps may require minor tweaks to the second mirror (metadata changes, etc.) before it's mirrored back to the original HD. Any edits to the second mirror should only be done after it's been backed up.
Doing these checks and ensuring that one's covered one's tracks isn't for the feinthearted. Right, the stakes have to be extraordinarily high to even bother attempting such a job.
_
Edit: if the forgery is to appear in printed form then it should be printed on old stock paper with a printer of the same era, say a HP LaserJet III for instance. Even with expertise, artificially aging such a document is a complicated process and even then it's unlikely to pass muster with a basic forensic analysis.
Another approach is to do the above then photocopy the original then 'lose' it and only use the copy. Recopying the copy on multiple machines of different brands will make tracing the original photocopier more difficult as each machine will have optics with minor distortions that are different to one another. Faxing the document sans headers will further obfuscate where the copy originated as faxes are of low resolution and introduce artifacts noise, but keep in mind that the mechanics and optics of fax machines introduce the same type of distortions as photocopiers.
Again, don't bet your chances, if you use these methods then smart forensics are still likely to nab you.
>You'd think by now that everyone—especially those who'd intend forging documents—would be aware of the 'mismatched' font problem but it appears not because it's happened in significant numbers of high profile cases in the past.
I'm reminded of that scene in mindhunter where the detectives go to Kemper something like "this theory is unsupported by the data we've collected on serial killers." And kemper calmly responds "Seems to me all of the data you've gathered is from serial killers you're caught."
Kemper believes there are many serial killers undiscovered, and more importantly easily able to avoid detection (as he did) unless they turn themselves in. This is while the fbi is speculating profiles of an active serial killer.
Even with homework done I'd never attempt it for the same reasons that Matthew Garrett outlined in his article.
However, assume a hypothetical case where I had to forge a document what would I do? My first thought would be to obtain a pensioned-off PC complete with operating system, user apps such as MS Office/Word and standard default fonts that was last used a little before the date of my intended forgery.
Obtaining such a PC may seem like a tall order but it might not be as difficult as it seems, but it certainly won't be easy. I say that it's possible by just looking at my own situation. In my shed I have a stack of old PCs gathering dust that haven't been switched on in several decades, no doubt there are many similar piles of junk out there in user-land that can be tapped for a suitable PC.
Next, I'd ensure the PC was not switched on until I'd removed the hard disk and forensically mirrored it to a backup on another PC. The mirrored disk image can then be examined to determine the exact date when it was last used, etc., etc.
Without reinstalling the hard disk and before switching it on I'd disconnect the PC's clock battery and or short out the clock operation so the clock was set to the factory default time (I.e. not set). I'd then switch on and set the date in the BIOS slightly ahead of the last date the PC was last switched on (that date I'll have already determined from my forensic analysis of the mirrored image).
After reinstalling the HD I'd switch on and hopefully I'd have functional PC whose date and time would indicate that it was switched on shortly after the actual time it was last used.
At this point and before proceeding further I'd take another mirror image of the HD and compare it with the original for any gotchas. Unless something goes awry I'll use this second mirror for all future installations and any necessary tweaks.
My next step would be to draft out the forged text by hand on paper. I'd study this text with great care to ensure that I've the precise wording and that there are no references to forward dates or events that could not have happened by the date of the forgery. I'll then sit on the text for 24 hours or more to think about it just to make sure that everything I've written is as 'faultless' as is possible.
Assuming all's well and only then will I switch on the PC and use the installed copy of MSO/Word with one of the common already-installed typefaces such as Ariel or Times New Roman to type my text.
Even then, with all that done, I'd still be shitting myself that I'd not fully covered my tracks!
Note: that's the short version, there are many other intermediate checks too detailed to mention here. Some of these steps may require minor tweaks to the second mirror (metadata changes, etc.) before it's mirrored back to the original HD. Any edits to the second mirror should only be done after it's been backed up.
Doing these checks and ensuring that one's covered one's tracks isn't for the feinthearted. Right, the stakes have to be extraordinarily high to even bother attempting such a job.
_
Edit: if the forgery is to appear in printed form then it should be printed on old stock paper with a printer of the same era, say a HP LaserJet III for instance. Even with expertise, artificially aging such a document is a complicated process and even then it's unlikely to pass muster with a basic forensic analysis.
Another approach is to do the above then photocopy the original then 'lose' it and only use the copy. Recopying the copy on multiple machines of different brands will make tracing the original photocopier more difficult as each machine will have optics with minor distortions that are different to one another. Faxing the document sans headers will further obfuscate where the copy originated as faxes are of low resolution and introduce artifacts noise, but keep in mind that the mechanics and optics of fax machines introduce the same type of distortions as photocopiers.
Again, don't bet your chances, if you use these methods then smart forensics are still likely to nab you.