Can we trust what looks real? A teaching case on AI-generated digital evidence and organizational decision-making

Abstract

This teaching case places students in the role of a forensic examiner advising an organization that has received visually convincing digital evidence during a project-delivery dispute. The submitted files include an email screenshot, a PDF approval document, a scanned signature image, a Word file, and a ZIP archive. Each item appears plausible, but the metadata, timestamps, and provenance records raise different levels of concern. The case is designed for postgraduate, advanced undergraduate, and professional courses in digital forensics, cyber security, information-systems governance, AI risk management, IT audit, and technology-enabled investigations. It can be taught either as a discussion-based governance case using supplied metadata extracts or as a lab-supported forensic exercise using common evidence-analysis tools. The central learning objective is to help learners distinguish file integrity from file authenticity: a matching hash may prove that a file has not changed since hashing, but it does not prove that the file is genuine or from the claimed source. Learners must classify the evidence as reliable, suspicious, likely manipulated, or unacceptable, and then advise management on whether action can be taken. The case also supports discussion on AI-use disclosure, source-system verification, document-management audit trails, digital signatures, evidence-submission procedures, and organizational decision-making under evidential uncertainty.

Keywords

AI-generated evidence digital forensics information-systems governance evidence authentication metadata analysis IT risk organizational investigation provenance verification teaching case chain of custody

Opening case scenario

A medium-sized technology services organization is facing a difficult internal investigation after a delayed client delivery. The project team claims that the client had approved a change request that altered the delivery timeline. The operations head disputes this claim and asks for evidence before deciding whether disciplinary action should be taken against the project manager and two team members.

Within 24 hours, five digital files are submitted to the investigation team: an email screenshot, a PDF approval note, a scanned signature image, a Word document, and a ZIP archive containing supporting material. The files on first pass look well written and well organized. The screenshot looks like a standard email conversation, the PDF file has an approval line in it, the scanned image looks like it was signed and the zip file contains project files. The compliance officer, however, is not at ease as a person based on mere sightings because the organization has recently implemented generative-AI tools for document creation, document design, and internal communication.

The evidential problem suggests that problems of detection are not unique to SCT, rather, issues of provenance, authentication and context are also problematic as central protections to safeguard SCT (Chandra et al., 2024; Coalition for Content Provenance and Authenticity, 2026; Deng et al., 2025).

The case begins at the stage at which the management are seeking the advice of a forensic examiner for whether the pictures are solid enough to inform disciplinary or legal action. The examiner is not required to determine if a file was created by artificial intelligence or not. Instead, the examiner must be sure that the evidence being presented is right for the question – does there exist a chain of custody that could be enhanced to allow the organization to take action, and do the metadata and timestamps align with the events in question, and are files available from trusted source systems?

This orientation is based upon proper methodology of Digital Forensics and the rules by which it is guided and follows the chain of custody, looks at what is the origin of a system, what can be derived from this evidence, and in what reasonable manner should be analyzed, not just on the surface (Casey, 2011; Conlan et al., 2016; Garfinkel, 2010; Palmer, 2001).

The following diagram summarizes the decision pressure faced by the organization (Figures 1 –4).

Figure 1.

Case timeline and central decision dilemma.

Figure 2.

Evidence authentication workflow from evidence receipt to risk classification.

Figure 3.

Four-category evidence classification framework.

Figure 4.

Distinction between file integrity and file authenticity.

Background to the organizational dispute

The organization, here called NexaBridge Solutions, develops internal workflow and analytics systems for business clients. One client project involves an approval workflow that must be delivered before the end of the quarter. The project manager argues that the client approved a late change request and therefore accepted the revised timeline. The operations head argues that no such approval exists in the official document-management system.

The disputed evidence is important because the organization must decide whether the delay resulted from a legitimate client-approved change or from poor project control. A wrong decision may lead to unfair disciplinary action, reputational damage, and legal exposure. The case therefore requires learners to connect technical evidence analysis with information-systems governance and management decision-making.

The case also reflects the broader evidential challenge created by generative models and deepfake technologies, which have made visually plausible synthetic or manipulated media easier to produce and harder to judge by appearance alone (Chesney and Citron, 2019; Goodfellow et al., 2014; Mirsky and Lee, 2021; Tolosana et al., 2020).

Evidence submitted to the investigation team

The compliance officer receives the following evidence items from the project manager. Learners should assume that the visual appearance of each item is plausible and that no single item can be accepted or rejected solely on appearance (Tables 1 –3).

Table 1.

Evidence submitted to the investigation team.

Evidence item	Claim made by submitter	Initial observation
Email screenshot	The client approved the revised project scope and delivery date.	The screenshot appears to show a normal email exchange, but it is not an original email file.
PDF approval note	A formal client approval was generated before the project deadline.	The PDF is professionally formatted and contains an approval line.
Scanned signature image	A signed approval page was scanned and shared with the team.	The scan is visually convincing, but device information is limited.
Word document	An internal note recorded the change request discussion.	The document is well written and formatted, but authorship and edit history require examination.
ZIP archive	Supporting records were preserved in a structured folder.	The archive contains relevant names but its internal timestamps appear unusually close together.

Table 2.

Metadata, timeline, and provenance indicators.

Item	Selected metadata issue	Selected timeline issue	Provenance concern
Email screenshot	No full header, no message ID, image-editor metadata present	File creation post-dates the claimed email exchange	No server-side mailbox record supplied
PDF approval note	Producer and creator inconsistent with the organization’s normal workflow	Created after the disputed approval date	Not found in the document-management system
Scanned signature image	Missing scanner make/model and expected acquisition fields	Capture time not aligned with claimed scanning event	No original scan source or device acquisition
Word document	Generic author name and unusually low editing time	Last modified close to investigation request	No audit-log entry in the document repository
ZIP archive	Automated file naming pattern and uniform internal metadata	Many files created within a narrow timestamp cluster	No documented collection path or custody record

Table 3.

Additional case exhibits for student analysis.

Exhibit	Information provided	What learners should question
Exhibit A: Evidence inventory	File names, file types, dates received and submitter details.	Whether the evidence was collected from source systems or merely supplied by an interested party.
Exhibit B: Metadata extract	Selected fields from the screenshot, PDF, image, Word file, and ZIP archive.	Whether expected metadata is missing, generic, inconsistent or recently created.
Exhibit C: Timeline extract	Business events and file timestamps placed side by side.	Whether the files pre-date or post-date the events they are claimed to support.
Exhibit D: Source-system checklist	Expected email, repository, scanner, backup, and audit-log records.	Which records must be obtained before management can rely on the evidence.
Exhibit E: Management memo template	A short format for communicating findings to non-technical decision-makers.	How to express uncertainty without overstating conclusions.

The examiner’s task

The examiner must prepare a decision-oriented assessment for management. The task is not to make a binary declaration that a file is real or fake. The task is to classify the evidential quality of each item and specify what additional records are required before any action is taken.

The recommended workflow is shown below. The diagram is intentionally source-system focused: learners should start from preservation, metadata, and provenance rather than from visual confidence or generic AI-detection websites.

Metadata and timeline extracts

The investigation team extracts basic metadata and timeline information from the submitted files. The following extracts are sufficient for classroom discussion. In a laboratory version of the case, instructors may provide the original files and ask students to generate these outputs using forensic tools.

Evidence classification

Learners should classify each item using four evidence-quality categories. These categories help management understand uncertainty without forcing the examiner into unsupported certainty.

Integrity and authenticity

One of the big problems in the case occurred between two different concepts – file integrity and its authenticity. When it comes to Web services, learners tend to believe that the matching hash means that the file has not been altered. The procedure for handling the hashing operation to ensure the preservation is not altered since hashing it is not proof of its authenticity when it was first received.

This is significant as media-forensic research has demonstrated that both technical artefacts and detector output fluctuate from one generation to the next and under different processing conditions, making the distinction of authentication from provenance and corroboration more appropriate than from a single visual or the algorithmic signal (Deng et al., 2025; Verdoliva, 2020; Wang et al., 2020).

Decision point

Management requests recommendation at end of the day. The examiner will determine whether the evidence from the organization is sufficient to support a disciplinary/legal proceeding or whether he or she needs to verify it first from the source. The answer should include certain file types to be retrieved (original email files with full headers, mailbox or server logs, document-management audit logs, original scan sources, device-level forensic images, backup records, and custody documents).

Also organizational governance needs to be discussed. Although the submitted files are not necessarily utilized for direct disciplinary purposes, they nonetheless suggest gaps in the evidence submission, disclosure of use of AI, document-signing procedures, and audit trails preservation process.

Discussion questions

(1) Which submitted evidence item appears strongest, and which appears weakest? Explain using metadata, timestamps and provenance rather than visual appearance.

(2) Does a matching cryptographic hash prove that the submitted file is authentic? Why or why not?

(3) Which files should be classified as reliable, suspicious, likely manipulated or unacceptable?

(4) What additional source-system records should management request before taking action?

(5) How should the examiner communicate uncertainty to non-technical decision-makers?

(6) What governance controls should the organization introduce for AI-era evidence handling?

Additional case exhibits for student analysis

The instructor may provide the following additional exhibits during class. These exhibits are intentionally incomplete: they provide enough information for reasoned discussion but not enough to create false certainty. Learners should be encouraged to identify what is missing as much as what is present.

Organizational risk context

NexaBridge Solutions has recently encouraged staff to use productivity tools for drafting emails, preparing slide decks, and designing client-facing documents. The policy allows AI-assisted drafting, but it does not define how AI-assisted content should be disclosed when a document later becomes evidence. The organization also allows teams to share screenshots in chat groups for convenience, but official approvals are expected to be stored in the document-management system.

This mixed environment creates a governance problem. They may look professional in the sense that it was an up-to-date and professional employee, who utilized some new productivity tool. It could also appear professional since it seems to be conceived following the event for supporting a controversial narrative. Monitors, while at the same time avoiding the two extremes: Rejecting everything that has a nice appearance, or accepting everything that looks professional! Rather, the issue is whether it’s feasible to establish a connection between the file and an independent source system and chain of custody.

Likewise, recent Journal of Information Technology Teaching Case articles focus on the organizational governance/accountability challenge of responsible AI rather than on a purely technical issue (Oyebisi and Orim, 2026).

The management team is pressured to come up with a quick solution. There’s an issue with the client; they’re in need of accountability from the operations head and the project team is pushing to delay the decision they’re seeking to make to make the organization appear indecisive. But if the evidence is ‘too light’, then the second problem may occur, namely: another disciplinary process on an unsupported piece of evidence, says the compliance officer. In this case, the students have to balance the effectiveness of investigations with ‘fairness’ and ‘conviction’.

Source-system verification requirements

Students should identify the original systems that would normally generate or preserve each type of record. An email screenshot should be verified through the mailbox, full message headers, message ID, server logs or exported email files. A PDF approval should be checked against the document-management system, version history, digital signatures, workflow approvals, and backup records. A scanned signature image should be linked to a scanner, acquisition device, original document or controlled scan repository. A Word document should be checked against author metadata, editing history, repository audit logs, and related communications. A ZIP archive should be checked through filesystem metadata, acquisition notes, and custody documentation.

The teaching value lies in making learners recognize that evidence authentication is not only a tool problem. Tools can extract metadata, calculate hashes, and list timestamps, but the interpretation of those outputs requires knowledge of organizational workflows. A timestamp is meaningful only when compared with the business event it purports to support. A hash is meaningful only after preservation. A missing author field is suspicious only when it is unexpected for that workflow. This context-dependent reasoning is the main professional skill developed by the case.

Expected student deliverable

Students are to create a (short) decision memo as opposed to a technical report. Items should be identified by the nature of the item, important red flags, management’s ability to rely on the item, and additional verification steps. This is a prudent recommendation and no penalty or disciplinary or even legal measures should be taken simply on the files submitted. Should retain submitted files, get information about the source of the system, record who has custody, and then reexamine the proof.

A good student response will not use the words ‘all’ and ‘always’. The better answer is more specific: the files aren’t being provided with sufficient provenance, timestamps, and other such metadata to make it possible to rely on them with no corroboration. This separation would make the case appropriate for information technology education to tie technology products with ethical organizational decisions.

Learning closure

This case concludes with the assignment of organizational controls to be suggested by the student. Some recommended measures are obliged preservation of all original email records, limits on admittance of screenshots, document-management audit trails, signature workflows for all approvals, well-defined procedures for disclosure of the use of AI, checklists for evidence submission, and training for employees on the distinction between convenience copies and source records. These controls help shift the discussion from the forensic case to an expanded conversation about information governance in an AI world.

Instructor-controlled disclosure during class

It is best if the teacher doesn’t explain all the ‘red flags’ at the start of the case. The students are given an evidence inventory and a few metadata extracts. Once the groups have been categorized, the teacher can share the timeline extract and source-system checklist. This staged-release mimics a real investigation where some evidence will appear in its best quality form sometime after the start of the investigation and some at the worst.

In the staged design too, it’s not an easy task for students to use it as a mere means to find the answers. A reliable group which initially believes the PDF is official, may turn against the PDF once they see the producer mismatch and missing repository entry. If a group rejects early a Word document, they might be obliged to modify their classification if the teacher poses the question as to whether version-history logs would provide evidence of this classification. These revisions are crucial as they reveal to students the process in which forensic judgment has been developed by further ‘proof’.

Management communication challenge

The last task is purposely written for management and not another examiner. The student should describe the status of the evidence regarding language that could inform action. A weak answer is that the files are bogus. A higher response rates that submitted files are not sufficiently authenticated for reliance because they do not contain source-system verification and exhibit inconsistencies in metadata or timeline. The stronger answer is legally and professionally not at risk of being confused with suspicion, particularly when it actually proves to be the right answer.

The students should also be able to state what management can do in the short term. Preserve the submitted file(s), avoid overwriting original logs of the source files, ask for original files, and refrain from any disciplinary action until all subsequent treatment, except for preserving the submitted file(s), has been documented. This makes the case relevant to information-systems management, since far more important than forensic tools are system design, policies, and organizational discipline for the retention of evidence.

Alternative decision outcomes

Instructors may vary the ending. In one version, the email server logs confirm that no such email existed, making the screenshot unacceptable. In another version, the Word document is found in a legitimate repository but was exported later, making it suspicious but not necessarily manipulated. In a third version, the client provides independent confirmation that the approval was never issued. These alternative endings allow the same case to be reused across different modules and difficulty levels.

Student role and assumptions

It is important for students to realize that they are not the final authority nor do they have control over all source systems. Their job is to give an evidence-level recommendation. They should say what can be established, based on the documents submitted, and what might not be established, even if further documents were present. This role constraint is significant because the forensic report may affect managers, who may require quick decision-making, albeit from a technically more conservative standpoint.

The case also assumes a generic environment with applications – email servers, common document repository, project management records, endpoint devices, and backup retention for example. Students are not required to know the internal configuration of those systems. They must designate the different systems that might independently preserve evidence of the alleged events. It is a good way to get learners to think in a system of record instead of looking in a particular file.

Consequences of a poor decision

Management may take no account of the files sent if it accepts them without first verifying them and may discipline employees if evidence emerges which is unable to be verified. In that situation comes the legal, ethical, and reputational risk. It can also make it more tempting for staff to manipulate evidence in the future as they learn that screenshots and exported documents are sufficient to have an impact on decisions. In some cases, however, if the evidence is disregarded too fast, then this may mean that useful project history is being missed by the management, and they may be rewarding the wrong team. That means that the examiner should rather suggest a process and not a finished result.

Balanced decision saves evidence, safeguards relevant logs, asks for original, and delays irreversible action. This is the core management lesson from the case: it is crucial to create digital evidence governance prior to disputes. A lack of audit trails and inadequate safeguards on data make it much more difficult to make accurate decisions once a dispute has begun.

Closing question for learners

The case should end with a final question: what would have prevented this dispute from becoming a forensic uncertainty problem? Strong answers will mention repository-based approvals, digital signatures, email retention, AI-use disclosure, screenshot limitations, audit-log preservation, and incident-response procedures. The most advanced answers will recognize that the organization does not merely need better forensic tools; it needs an information-governance culture in which important decisions are recorded in systems that preserve provenance by design.

Evidence governance questions for follow-up

The case could involve a request to learners for designing an evidence-governance checklist for the organization as well. The checklist should include the types of documents that are not suitable for use in decision-making, when is a snapshot not enough, who is permitted to take the original documents and how are these documents being monitored to ensure they are collected, what is the process for calculating hashes in the original document(s) and where is it documented, who is authorized to collect original documents, and how will digital evidence be passed to investigators. This follow-up task is to convert this incident-response problem to a governance for prevention exercise.

AI usage also makes a difference people’s behaviour. When the employee is using generative tools to compose emails, to prepare emails for approvals, to create improvement notes, or to enhance the look of documents, the organization will need to be able to tell the difference between the mere act of using AI platforms to draft email and actually putting in evidence. In a mature policy, it is not enough to outright ban the use of AI. It should include definitions of what disclosure entails, ensure the preservation of source records, create audit trails, and ensure the retrieval of evidence used for a dispute from a controlled system, not from an informal copy. This reflection expands the discussion from forensic authentication to the management of a trusted information system.

Final reflection for students

At the end of the case, learners should be able to defend a recommendation even when the evidence remains uncertain. This is a realistic professional outcome: examiners often cannot prove every aspect of authenticity from the submitted file alone. Their responsibility is to identify evidential limitations, preserve what is available, request better records, and prevent decision-makers from treating convenience copies as verified source records. The final reflection should therefore ask students to write one sentence that they would be willing to defend in a formal meeting: based on the evidence currently available, what can the organization responsibly do next?

This reflection also makes the case reusable for assessment, because each student must convert technical observations into a defensible organizational recommendation rather than merely listing tool outputs.

Footnotes

ORCID iD

Narendra Kumar Chahar

Ethical considerations

This manuscript is submitted as a desk-based teaching case and does not report a study involving human participants, human data or human tissue. The case materials are anonymized teaching artefacts prepared for classroom discussion and contain no personally identifiable participant information.

Author contributions

Narendra Kumar Chahar: conceptualization, case design, evidence-package design, teaching-note preparation, analysis, writing – original draft, and writing – review and editing.

Funding

The author received no financial support for the research, authorship, and/or publication of this article.

Declaration of conflicting interests

The author declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Data Availability Statement

The manuscript is accompanied by illustrative teaching materials, including worksheets, metadata extracts, and timeline extracts. No human participant dataset is reported. Additional classroom artefacts may be made available by the author upon reasonable request, subject to institutional and ethical considerations.*

Artificial intelligence use statement

Generative AI tools were used to support language editing, structural refinement, and preparation of teaching-case materials. The author reviewed, verified, and approved all academic content, case logic, references, declarations, and final submission files.

Author biography

Narendra Kumar Chahar is an Assistant Professor at the School of Cyber Security and Digital Forensics, National Forensic Sciences University, Jaipur Campus. His teaching and research interests include digital forensics, cyber security, AI-generated digital evidence, information security, and privacy-preserving techniques. He has contributed to research and teaching in digital forensics, AI-based security, and evidence authentication.

References

Casey

(2011) Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. 3rd edition. Academic Press.

Chandra

Dunietz

Roberts

, et al. (2024) Reducing risks posed by synthetic content: an overview of technical approaches to digital content transparency. In: NIST Trustworthy and Responsible AI. National Institute of Standards and Technology, pp. 100–104. https://doi.org/10.6028/NIST.AI.100-4

Chesney

Citron

(2019) Deep fakes: a looming challenge for privacy, democracy, and national security. California Law Review 107(6): 1753–1820.

Coalition for Content Provenance and Authenticity (C2PA) (2026) C2PA Technical Specification, Version 2.4. https://spec.c2pa.org/specifications/specifications/2.4/specs/C2PA_Specification.html (accessed 22 May 2026).

Conlan

Baggili

Breitinger

(2016) Anti-forensics: furthering digital forensic science through a new extended, granular taxonomy. Digital Investigation 18: S66–S75. https://doi.org/10.1016/j.diin.2016.04.006

Deng

Lin

Zhao

, et al. (2025) A survey of defenses against AI-generated visual media: detection, disruption, and authentication. ACM Computing Surveys 58(5): 1–35. https://doi.org/10.1145/3770916

Garfinkel

(2010) Digital forensics research: the next 10 years. Digital Investigation 7(S): S64–S73. https://doi.org/10.1016/j.diin.2010.05.009

Goodfellow

Pouget-Abadie

Mirza

, et al. (2014) Generative adversarial nets. Advances in Neural Information Processing Systems 27: 2672–2680.

Mirsky

Lee

(2021) The creation and detection of deepfakes: a survey. ACM Computing Surveys 54(1): 1–41, Article 7. https://doi.org/10.1145/3425780

10.

Oyebisi

Orim

S-M

(2026) Securing responsible AI: integrating cybersecurity and AI governance at NovexTech solutions. Journal of Information Technology Teaching Cases 20438869261448219. Available at: https://doi.org/10.1177/20438869261448219

11.

Palmer

(2001) A road map for digital forensic research. In: Proceedings of the Digital Forensic Research Workshop (DFRWS), Utica, NY, 2001, pp. 27–30.

12.

Tolosana

Vera-Rodriguez

Fierrez

, et al. (2020) Deepfakes and beyond: a survey of face manipulation and fake detection. Information Fusion 64: 131–148. https://doi.org/10.1016/j.inffus.2020.06.014

13.

Verdoliva

(2020) Media forensics and deepfakes: an overview. IEEE Journal of Selected Topics in Signal Processing 14(5): 910–932. https://doi.org/10.1109/jstsp.2020.3002101

14.

Wang

S-Y

Wang

Zhang

, et al. (2020) CNN-generated images are surprisingly easy to spot… for now. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, Seattle, WA, 2020, pp. 8695–8704.