Detecting Forged (Altered) Images | Forensic Focus - Articles
Forensic Focus – Articles
DIGITAL FORENSICS ARTICLES AND RESEARCH PAPERS METHODOLOGY, RESEARCH, SOFTWARE
Detecting Forged (Altered) Images
POSTED BY BELKASOFT ⋅ AUGUST 22, 2013 ⋅ LEAVE A COMMENT FILED UNDER SOFTWARE, TECHNOLOGY Are digital images submitted as court evidence genuine or have the pictures been altered or modified? We developed a range of algorithms performing automated authenticity analysis of JPEG images, and implemented them into a commercially available forensic tool. The tool produces a concise estimate of the image’s authenticity, and clearly displays the probability of the image being forged. This paper discusses methods, tools and approaches used to detect the various signs of manipulation with digital images. How many kittens are sitting on the street? If you thought “four”, read along to find out! Alexey Kuznetsov, Yakov Severyukhin, Oleg Afonin, Yuri Gubanov © Belkasoft Research 2013
Today, almost everyone has a digital camera. Literally billions of digital images were taken. Some of these images are used for purposes other than family photo albums or Web site decoration. On the rise of digital photography, manufacturers of graphic editing tools quickly catch up momentum. The tools are becoming cheaper and easier to use – so easy in fact that anyone can use them to enhance their images. Editing or post-processing, if done properly, can greatly enhance the appearance of the picture, increase its impact to the viewer and better convey the artist’s message. But where is the point when a documentary photograph becomes fictional work of art? While for most purposes editing pictures is more than okay, certain types of photographs are never to be manipulated. Digital pictures are routinely handed to news editors as part of event coverage. Digital pictures are presented to courts as evidence. For news coverage, certain types of alterations or
) may or may not be acceptable. and this point may be brought
articles. The only problem. The purpose of these systems was the ability to prove that images were not altered after being captured by the camera. The obviously faked images successfully passed the authenticity test by the respective manufacturers’ verification software. shadow and highlight enhancements and sharpening are applied.com/2013/08/22/detecting-forged-altered-images/ 2/9
. the processing of raw pixel data captured from the digital sensor is exactly what the camera’s processor is supposed to be doing. and can even escape the scrutiny of experienced editors of reputable news media. alteration or “enhancement” of the image after the image left the camera made with any software.Articles
modifications (such as cropping. Even the eye of a highly competent forensic expert can miss certain signs of a fake. straightening verticals. adjusting colors and gamma etc. The approach looks terrific on paper. After all. What Is a Forged Image?
What constitutes a manipulated image? For the purpose of this paper. That said. or providing the probability of the image being forged. filters and corrections such as certain aberration corrections. saturation boost.
1. including RAW conversion tools to constitute an altered image.23/08/13
Detecting Forged (Altered) Images | Forensic Focus . A Russian company was able to easily forge images signed by a Canon and then Nikon digital cameras. Major camera manufacturers attempted to address the issue by introducing systems based on secure digital certificates. we don’t consider an image to be altered if only in-camera. otherwise they lose credibility as acceptable evidence. but don’t necessarily forge it. rotating or applying horizon correction? These and some other techniques do alter the image. If human experts are having a hard time determining whether a particular image was altered. we consider any modification. potentially allowing forged (altered) images to be accepted as court evidence. it does not work. Today’s powerful graphical editors and sophisticated image manipulation techniques make it extremely easy to modify original images in such a way that any alterations are impossible to catch by an untrained eye. should we just give up on the very issue? This paper demonstrates a new probabilistic approach allowing automatic authenticity analysis of a digital image. Images presented as court evidence must not be manipulated in any way. How many umbrellas? Read along to find out! But is every altered image a forged one? What if the only things done to the image were standard and widely accepted techniques such as cropping. The solution uses multiple algorithms analyzing different aspects of the digital image. this system was also used in legal cases as genuine court evidence. Which brings us to the question.forensicfocus. internal conversions. and employs a neural network to produce an estimate of the image’s authenticity. Obviously aimed at photo journalists and editors. and if existing certificate-based authenticity verification systems cannot be relied upon.
1. and many can only produce files in JPEG format. Huffman code tables. These tags contain information about quantization matrixes. and many other parameters as well as a miniature version (thumbnail) of the full image.belkasoft. In our solution. In addition. and algorithms analyzing image format specifications to determine whether or not certain corrections have been applied to the image after it left the camera. the whole point of forgery analysis is determining whether any changes were made to alter meaningful content of the image. JPEG Format Analysis
JPEG is a de-facto standard in digital photography. and provide the probability of the image being manipulated (forged).
2. Considering all of the above. and then to commercial implementation. we are using multiple algorithms which. Therefore. certain methods we had high hopes for turned out to be not applicable (e. Most digital cameras can produce JPEGs.com/2013/08/22/detecting-forged-altered-images/ 3/9
. We’ll discuss those methods and the reasons why they cannot be used. altering the content of the image rather than its appearance on the screen. it’s pretty obvious that no single algorithm can be used to reliably detect content alterations. making them accept an altered image as genuine . The JPEG Format Analysis algorithm makes use of information stored in the many technical meta-tags available in the beginning of each JPEG file. At this time. Forgery Detection Algorithms
Providing a comprehensive description of each and every algorithm used for detecting forged images would not be feasible. The algorithms made it into a working prototype.23/08/13
Detecting Forged (Altered) Images | Forensic Focus . The plugin can analyze images discovered with Belkasoft Evidence Center. and would be out of scope of this paper. an extension of a forensic tool Belkasoft Evidence Center. The content and sequence of those tags. We will describe five major techniques used in our solution to feed the decisive neural network (the description of which is also out of scope of this paper).
2. forgery detection techniques are used in the Forgery Detection plugin [http://forensic.
articles. depend on the image itself as well as the device that captured it or software that modified it.com/en/forgery-detection].forensicfocus.Articles
before the editor or a judge. So we’ll analyze an image on pixel level in order to detect whether significant changes were made to the actual pixels. block artifact grid detection). in turn. The JPEG format is an endless source of data that can be used for the purposes of detecting forged images. as well as which particular tags are available. chroma subsampling. fall in one of the two major groups: pixel-level content analysis algorithms locating modified areas within the image.g.
The other two demonstrate what happens to a JPEG image if it’s opened and saved as JPEG once again.forensicfocus. so easily in fact that while we can treat existing EXIF discrepancies as a positive sign of an image being altered. Most digital cameras feature a limited set of quantization tables. In addition to EXIF analysis. The basic analysis method verifies the validity of EXIF tags in the first place in an attempt to find discrepancies. we can discover discrepancies by comparing hash tables of the actual image against those expected to be produced by a certain camera. comparing the actual EXIF tags against tags that are typically used by a certain device (one that’s specified as a capturing device in the corresponding EXIF tag). the fact that the tags are “in order” does not bring any meaningful information. the algorithm creates 192 histograms containing discrete cosine transform values. If a JPEG file was opened. The first two histograms represent a typical file that was only saved once. checks for capturing date vs. This. and the original date and time does not match last modification date and time.Articles
In addition to technical information. certain compression artifacts will inevitably appear. aperture and shutter speed information. If the effect is discovered. whether or not flash was being used. Certain quantization effects will only appear on these histograms if an image was saved in JPEG format more than once.
2. However. EXIF tags can be easily forged. We’re also actively adding information about new models as soon as they become available.
articles. for example. The “Software” tag displays software used for editing the image. However. if this effect is not discovered. Double Quantization Effect
This algorithm is based on certain quantization artifacts appearing when applying JPEG compression more than once. edited in a graphic editor and saved to a JPEG file just once. edited. the date of last modification. may include checks for EXIF tags added in post-processing by certain editing tools. therefore. In order to determine the double quantization effect. and so on and so forth. then saved.com/2013/08/22/detecting-forged-altered-images/ 4/9
. EXIF tags of this image are a clear indication of image manipulation.2. Our solution makes an attempt to discover discrepancies between the actual image and available EXIF information. be developed from a RAW file. We collected a comprehensive database of EXIF tags produced by a wide range of digital cameras including many smartphone models.23/08/13
Detecting Forged (Altered) Images | Forensic Focus . JPEG tags contain important information about the photo including shooting conditions and parameters such as ambient light levels. for example. we cannot make any definite conclusions about the image as it could. and so on. we review quantization tables in all image channels. make and model of the camera and lens the image was taken with. lens focal length. color profile information. we can definitely tell the image was edited (or at least saved by a graphic editor) at least once.
Quantization deviation is significantly higher for the two cats on the left. or if an object is placed on top of the pasted area. especially if either (or both) the original image or injected objects were previously compressed in JPEG format.
2. Quantization of certain pasted objects (as well as objects drawn in an editor) may differ significantly from other parts of the image.forensicfocus.
The second image is fake. it still makes it very clear which of the four cats were originally in the images. The third image outlines matching points that allow detecting the cloned image.
2. Note that the other umbrella is not simply copying and pasting: the pasted object is scaled to appear larger (closer). copy or move existing objects around the picture.Articles
These two images look identical. as well as complex algorithms that are able to identify cloned areas even if varying transparency levels are applied to pasted pieces. This effect will be significantly more pronounced if the object being pasted would be taken from a different image. Copy/Move Forgery and Clone Detection
An extremely common practice of faking images is transplanting parts of the same image across the picture. Error Level Analysis
This algorithm detects foreign objects injected into the original image by analyzing quantization tables of blocks of pixels across the image. Quantization tables of the different pieces will look very similar to the rest of the image. Our solution employs several approaches including direct tile comparison across the image. an editor may mask the existence of a certain object by “patching” it with a piece of background cloned from that same image. For example. and which were pasted during editing.23/08/13
Detecting Forged (Altered) Images | Forensic Focus . although the second picture was opened in a graphic editor and then saved. so we must employ methods identifying image blocks that look artificially similar to each other.3. While this may not be a perfect example.com/2013/08/22/detecting-forged-altered-images/
articles.4. The following histograms make the difference clear.
. Inconsistent Image Quality
JPEG is a lossy format. As there is no uniform standard among the different JPEG implementations to justify resulting visual quality of a JPEG file. This was inevitable to judge the quality of JPEG files processed by the many different engines on the same scale. and these blocks become more and more clearly visible when the image is re-saved. Non-Applicable Algorithms
Some techniques sound great on paper but don’t work that well (if at all) in real life. there is loss of apparent visual quality – even if the lowest compression / highest quality setting is used. As a result.
3.5. According to our internal scale. JPEG images coming out of the camera normally have apparent visual quality of roughly 80% (can be more or less. However. Different JPEG compression algorithms may produce vastly different files even when set to their highest-quality setting. However. 70% and 50% quality respectively. depending on camera settings and JPEG compression engine employed by the camera processor).
Detecting Forged (Altered) Images | Forensic Focus .Articles
2. altering the tags is all too easy. but stand no chance in real life applications. and varies greatly between the different JPEG compression engines. Visual quality is not standardized. JPEG is using blocks sized 8×8 pixels. The simplest way to estimate the apparent visual quality of an existing JPEG file would be applying certain formulas to channel quantization tables specified in the file’s tags. some apparent visual quality is lost and some artifacts appear. and you’ll start noticing the difference. Every time the same image is opened and saved in the JPEG format. The algorithms described below may be used in lab tests performed under controlled circumstances. Repeat several times. so our solution uses pixel-level analysis that can “see through” the quantization matrix. as JPEG is a lossy compression algorithm. closing. every time a JPEG image is opened and saved as a JPEG file again. This is the same image. The higher the level of compression is the more visible blocking artifacts become. we had to settle on our own internal scale. only the last three pictures are saved from the original with 90%. You can easily reproduce the issue by opening a JPEG file. sooner if higher compression levels are specified. Block artifact grid detection
articles.1. then opening and saving again. we expect an unaltered image to fall approximately within that range. saving it.forensicfocus.
lawyers and law enforcement officials validate whether digital pictures submitted as evidence are in fact acceptable.23/08/13
Detecting Forged (Altered) Images | Forensic Focus .forensicfocus. especially if an image was compressed and re-compressed with a lossy algorithm such as JPEG.com/]. This method would probably give somewhat more meaningful results if lossless compression formats such as TIFF were widely used. However. The plugin enables Evidence Center to estimate how genuine the images are by calculating the probability of alterations. The product is aimed at forensic audience. In real-life applications.com/2013/08/22/detecting-forged-altered-images/
. In reality.
4. In reality these changes turned out to be statistically insignificant and easily affected by consecutive compression when saving the final JPEG image. discrepancies can easily arise in the original image on the borders of different color zones. the algorithm analyzes the result of discrete cosine transform coefficients calculated on a bunch of 8×8 JPEG DCT chunks. The analysis is completely automated. Sample report looks like the following: The plugin is available at http://forensic. we discovered no statistically meaningful differences.com/en/forgery-detection. Based on this fact.2. Implementation
The algorithms described in this paper made it to a commercial product. They were implemented as a plugin to a forensic tool Belkasoft Evidence Center [http://forensic. Pixel values of color images are determined by interpolating readings of adjacent red.belkasoft.
3. Comparing coefficients to one another can supposedly identify foreign objects such as those pasted from another image. In addition. allowing investigators. a statistical comparison of adjacent blocks of pixels can supposedly identify discrepancies. so color filter array interpolation algorithm is of little use in these applications. the lossy JPEG format is a de-facto standard for storing digital pictures.Articles
The idea is also based on ideas presented in  and .belkasoft. Using Evidence Center equipped with the Forgery Detection plugin to analyze authenticity of digital images is easy.
articles. Color filter array interpolation
Most modern digital sensors are based on the Bayer array. green and blue sub-pixels . This algorithm makes use of the fact that most modern digital cameras are using sensors based on a Bayer array.
PNG…) image file into another losslessly compressed file. Most alterations performed to JPEG files are spotted right away with high probability. and then saves a final JPEG only once. Let us take. A neural network is employed to produce the final decision.
Yakov Severyukhin is Head of Photoreport Analysis Laboratory in International Banking Institute. for example. Yakov is an expert in digital image processing. if the pasted bits were taken from a JPEG file (which is rather likely as most pictures today are in fact stored as JPEGs). Some algorithms employed in our solution are based on encoding and compression techniques as well as compression artifacts inherent to the de-facto standard JPEG algorithm.com/2013/08/22/detecting-forged-altered-images/
Yuri Gubanov is a CEO of Belkasoft.
6. our solution in its current state may miss certain alterations performed on uncompressed images or pictures compressed with a lossless codec.Articles
Detecting Forged (Altered) Images | Forensic Focus . Notably. However.
Oleg Afonin is Belkasoft sales and marketing director. In this case.forensicfocus. judging the probability of an image of being altered or original. About the Authors
Alexey Kuznetsov is the Head of Department of GRC (Governance Risk Complience) in International Banking Institute. He is an expert and consultant in computer forensics. but will be likely unable to detect the exact location of foreign objects. Yuri is a renowned computer forensics
. Conclusion and Further Work
We developed a comprehensive software solution implementing algorithms based on statistical analysis of information available in digital images. then our solution will likely be able to pinpoint the exact location of the patches. our solution will be able to tell that the image was in fact modified in some graphic editing software. scenario in which an editor pastes slices from one RAW (TIFF.
articles. Alexey is an expert on business process modeling.
Customized The Morning After Theme.belkasoft. ICDDF.html#c22564 2. FT-Day.Articles
Yuri Gubanov is a CEO of Belkasoft.jgc. The authors can be contacted by email at contact@belkasoft. Detection of Copy-Move Forgery in Digital Images http://www.gatech. John Graham – Cumming’s Clone Tool Detector http://www. He is a frequent speaker at industry-known conferences such as CEIC.23/08/13
Detecting Forged (Altered) Images | Forensic Focus .
Forensic Focus – Articles Blog at WordPress.com. Retrieving Digital Evidence: Methods.ws.com
1.edu/research/labs/MCCL/pubs/dwnlds/bahadir05.org/blog/2008/02/tonight-im-goingto-write-myself-aston.html 4. HTCIA.pdf 5.pdf 3.binghamton.edu/fridrich/Research/copymove.
articles. Techniques and Issues http://forensic.ece. TechnoForensics and others.forensicfocus.com/archives/2008/02/protecting_journalistic_integrity_algorithmically. Demosaicking: Color Filter Array Interpolation http://www.com/2013/08/22/detecting-forged-altered-images/
. Protecting Journalistic Integrity Algorithmically http://lemonodor.com/en/retrieving-digital-evidence-methods-techniques-and-issues
No comments yet. Yuri is a renowned computer forensics expert.