The emergence of Large Language Models (LLMs) to create shallow and deepfake evidence has opened up a Pandora’s box of problems for litigators. Many industries, especially those with high volume repetitive processes, have begun to develop detection and prevention measures against deepfakes. Litigators don’t have that luxury and must depend on oldfashioned insight and suspicion. This article explores the issues and points out when and how litigators can seek help.

The rise of AI-generated deepfakes presents a novel challenge for litigators: how do you identify and manage falsified evidence when reviewing thousands of documents? Unlike sectors such as travel, automotive, or medical insurance, where fraud detection tools are increasingly mature, lawyers are confronted with a unique set of constraints. Evidence sent to legal teams often comes in the form of PDFs, scanned images, or other non-native formats uploaded into document review platforms, making it harder to apply automated detection methods. This raises two key questions: when should you be suspicious, and what practical steps can you take to address potential deepfakes?

Detection and Prevention: The “Obvious” Layer 

In some industries, such as insurance, detection techniques are being embedded into workflows. Tools exist for secure document and image upload, sentiment analysis, and risk scoring. For video and images, analytics software such as Sensity or Amped Authenticate can flag unusual metadata or signs of manipulation, making the initial triage easier. However, for documents, detection relies on spotting contextual and factual anomalies in the context of a live claim. For litigators, therefore, these tools are less relevant; evidence may be several years old and is mostly documentary, and genuine forensic analysis still needs expert input. 

For lawyers, prevention is therefore largely procedural. It involves obtaining documents in their native form in a forensic manner wherever possible, securing chain-of-custody, and ensuring that all parties adhere to evidential standards. Yet, even with these best efforts, the real challenge is navigating the vast middle ground of litigation: the review of thousands of files, many of which may hide subtle falsifications.

The Hard Middle: Thousands of Documents, Limited Access 

Most of us are familiar with the warning signs of a phishing email: inconsistent domains, anomalies in the text, etc. However, be warned that a deepfake presented in evidence is unlikely to be so transparent; done well, it will be almost undetectable as a fake, with properly generated message headers and routing paths that make it seem to have come from the relevant IT systems.

If you are in any doubt, consider the following scenario: if I already have your email address, with LLM it would take me no more than ten minutes to create an email that appears to be from you, authorising me to perform a critical action such as an authenticate faked signature. The only difference is that you won’t be able to find a copy of it in your sent folder. Now imagine your organisation’s data retention policy automatically deletes sent emails after three years. How will you then prove you never sent me that email?

When reviewing a large document set, the question becomes: how do you know when to be suspicious?

Focus on evidence that could materially influence the outcome of the case. Maybe pleadings and particulars of claim will highlight problem areas, but also consider the risk of the smoking gun, hidden away in a mountain of documents and which your opponent has not yet highlighted. This is where tools such as Relativity’s aiR for Case Strategy can deliver significant value, allowing you to surface “helpful” and “harmful” documents quickly before hundreds of hours of review get wasted. 

Signs that should raise red flags include:

• Surprising evidence: Documents that contradict known facts or contain details that seem inconsistent with the narrative. 
• Lack of context: Emails or messages with no prior thread, limited participants, or unexplained attachments. 
• Inconsistencies in style or tone: Sudden shifts in language, formatting, or metadata that are unusual for the sender

When Suspicion Arises: Practical Steps 

Once a document raises concerns, there are immediate steps to take before escalating to full forensic analysis:

1. Prioritise emails and documents with limited context: These are the most likely to contain falsified content. 
2. Look for inconsistencies across documents: Dates, sender/recipient discrepancies, or unxpected attachments may be indicators.
3. Leverage AI and text analysis: LLMs can be powerful allies when triaging large volumes of documents. Secure internal GenAI (GenAI) tools can assist at this stage, for example, by providing an LLM with a set of a hundred genuine emails and then introducing five suspect ones, so the model can highlight the anomalies.

How does AI text analysis work in practice?

Rather than “spotting fakes” directly, the AI establishes a linguistic and structural baseline from the genuine material. It learns the sender’s typical vocabulary, tone, sentence length, formatting habits, and even common metadata patterns. When the suspect emails deviate from this baseline – for instance by using phrasing the person never normally uses, by showing irregularities in salutations or sign-offs, or by displaying unusual attachment types –, the system flags them for further review. 

This doesn’t amount to a conclusive verdict, but it is an efficient way of narrowing down where to look more closely. In other words, AI can act as an early warning system: surfacing the outliers that deserve human or forensic scrutiny, while allowing lawyers to focus their time and expertise where it matters most. 

Once a concern arises, document your suspicions meticulously. Often the only way to challenge a well-made fake is to seek an order to access native files or drives, so keeping a clear record of anomalies, whether it’s a missing header, inconsistent timestamp, or unexplained deviation in style, will lay the groundwork for requesting native files or engaging experts. A well-documented trail will be critical, as will early involvement of forensic specialists: they can examine metadata, audit digital footprints, and provide the technical validation needed to persuade a court.

Forensic Analysis: Proving Suspicions 

Once native files are available, forensic experts can perform a deeper investigation. Capabilities often include:

• Metadata analysis: Reviewing timestamps, device information, and document origin. For example, a contract that claims to have been created in 2018 may reveal metadata showing it was authored on a device running software not released until 2021. Even subtle anomalies such as inconsistent time zones between drafts can indicate tampering.
• Digital file authentication: Analysing files for hidden signs of manipulation. In PDFs or images, forensic tools can reveal duplicate compression artefacts suggesting a pasted element, or unusual font embedding inconsistent with the alleged source. For video and audio, waveform analysis or pixel-level irregularities can highlight synthetic content. These techniques apply whether or not AI has been used, but deepfake tools often leave distinctive statistical “fingerprints” that can be surfaced through advanced forensic analysis. Ultimately, it is the forensic examiner using these specialist tools who detects, interprets, and confirms such anomalies.
• Pattern recognition across datasets: Looking for anomalies in a wider set of evidence. For example, if an email purporting to be from a CFO uses slightly different phrasing, headers, or routing paths compared to thousands of their genuine emails, this discrepancy may be significant. AI-based tools can amplify these comparisons by highlighting linguistic or structural features that deviate from an established pattern.
• Investigation of the computer: It is often necessary to investigate the device or system suspected of creating the fake. Examining a custodian’s laptop or phone can reveal traces of GenAI usage such as cached files, browser history showing prompts to AI tools, or application logs recording the generation of synthetic content. Equally, investigators should consider whether the custodian has installed or downloaded offline AI models (for example, packages such as Ollama or other local LLMs), or whether scripts exist on the machine that interact with AI APIs. These artefacts may not be obvious in the disputed files themselves but can provide strong circumstantial evidence that the user had both the capability and the intent to generate synthetic documents.

When “April 2018” Isn’t Really April 2018: An Experiment

To test how convincing backdated evidence might appear, we created three Word documents that all purported to represent an agreement dated April 2018.

The first was generated using ChatGPT/GenAI, with the creation date set to April 2018 at the point of generation. The second was a genuine Word file created manually on a laptop, with the content typed in, saved, and then altered using a Python script to backdate the author and creation date metadata. The third was created by manually setting the computer’s system clock to April 2018 before opening Word, drafting the content, and saving the file.

At first glance, all three appeared identical: each displayed April 2018 in their document properties. However, deeper forensic inspection revealed that each method left its own distinctive footprint.

GenAI-generated document: Substantially larger in file size, with a core XML (docProps/core.xml) containing additional fields and identifiers pointing to the use of python-docx and other generation metadata. Its internal structure was markedly different from a native Word save.

Scripted backdated document: Leaner XML, with creation/modified timestamps injected programmatically. While the surface properties were aligned with 2018, compression patterns and metadata ordering exposed that the file had been altered after creation.

System clock backdated document: Produced the most superficially convincing result, since both the filesystem timestamps and the document properties aligned with April 2018. Nevertheless, forensic analysis still revealed subtle anomalies in the internal XML structure and compression compared to a genuine 2018 file, confirming that even this approach leaves detectable traces.

These experiments demonstrate that, although all three files presented as if they had been created in April 2018, their internal fingerprints told very different stories. File size, XML content, and binary package structure each carried evidence of how the document was produced, whether through GenAI, scripted manipulation, or system clock tampering. For investigators, this reinforces the point that surface-level metadata cannot be taken at face value: only by examining documents at the XML or hex level can the true provenance and potential manipulation be uncovered.

In combination, these techniques allow experts not only to detect manipulation but also to answer the critical question: has AI been used to generate or alter this evidence?

While no single method is conclusive, layering metadata review, file authentication, dataset comparison, and device investigation (including the search for locally stored AI tools or scripts) provides the strongest basis for proving suspicions in court.

The Litigator’s Burden 

Whilst it is still the case that the burden of proof falls on the party relying on a piece of evidence, the litigator’s burden is increasing in a world where faking is becoming exponentially easier. Gut instinct is no longer enough in an era of hyper-realistic fakes. Litigators need to triage evidence with both procedural diligence and technological support, and escalate concerns to experts at the earliest opportunity.

The key issue is the need to challenge, which relies on spotting suspicious documents in the first place, then being able to document and justify those suspicions before demanding corroborative evidence, which may require expert analysis and/or access to native files. Since courts and professional bodies increasingly expect litigators to proactively verify the provenance of documents, litigators will need to engage with forensic experts at an early stage for assistance (often with the benefit of AI tools) to conduct metadata analysis and detect patterns and stylistic anomalies.

Deepfake threats pose challenges for existing evidentiary rules

While existing evidentiary rules – such as the best evidence rule, chain of custody requirements, and authentication standards – still provide a legal framework for verifying documents, they were developed long before AI-generated content became widespread.

Emerging professional guidance from the UK’s Law Society, the Bar Council, and the American Bar Association all emphasise that lawyers have a duty to verify and corroborate evidence, and to document the steps taken to satisfy their professional obligations of competence and honesty before the court.

Taken together, the trend is for the burden of proof for authenticity to shift upstream. Lawyers can no longer rely solely on the appearance of a document or the traditional chain of custody. Instead, they need to combine triage methods, AI-assisted detection, and forensic verification, and to maintain clear documentation of any suspicions. In practice, this makes the middle stage of litigation – reviewing thousands of documents, identifying which are impactful, and deciding which require further scrutiny – the most challenging and critical step.

Deepfakes will only become more convincing. Litigators who wait until trial to challenge suspicious documents may already be on the back foot. Proactive triage, AI-assisted review, and early engagement with forensic experts are becoming essential. Indeed clients are already navigating these challenges, ensuring courts can continue to rely on the authenticity of evidence in an age of hyper-realistic fakes.

* This report was first published in Mealey’s Litigation Report: Artificial Intelligence.

[Editor’s Note: Phil Beckett is a Managing Director and Leader of Alvarez & Marsal Disputes and Investigations practice based in London. Any commentary or opinions do not reflect the opinions of Alvarez & Marsal or LexisNexis®, Mealey Publications™. Copyright © 2025 by Phil Beckett. Responses are welcome.]