Logo
RSS Feed

👈🏞 Back to
ðŸ•ķïļ Anti-Forensics

Forged Image Detection

   

Created: 12.10.2020

https://29a.ch/photo-forensics/#forensic-magnifier

Images can be forged or cloned. Regions can be manipulated with. Hard to detect with naked eye. ❗ Social Media strips-off metadata from uploaded images which makes tracking of the image difficult.

Main goals are: detect whether the image was cloned and track the source of the image. Forensically and JPEGSnoop open-source tools. They detect tampering.

  1. Magnification. Autocontrast will not disturb the colors too much. Autocontrast by channel will.
  2. Clone Detection. The most important. Minimal similariyt ~ 0.5. Minimal detail ~ 0.1. Minimal cluster size - the number of blocks that two regions need to share in order to be considered clones ~ 14.
  3. Error-level analysis. Tells that something was compressed multiple times. For example, when you paste an image on another image and save, the are several compressions in place: for the original image and for the pasted one. Use noise to determine that. Spot the artifacts that have been implanted on an image by compressing it multiple times. Because of the noise these parts can’t be compressed much.
  4. Noise analysis. Self-explanatory.
  5. JPEG analysis. Computes the Quantization table, which specify the way an image has been compressed. Each cell 0-255. To compress an image the pixel intestines are modified by the software app in the range of -128 to 127 and new quantization table is calculated. The value of standart - 95, which is auto value when the image is not processed. Adobe (Photoshop quality) uses 85. The order of different sections. SOI - image start, EOI- end of image. Multiple SOI and EOI are indicative of pasting other images. Application segments, APP0(JPEG version, screen and printing resolution), APP1 (date/time, focal length, aperture), APP13 (if processed with Adobe Photoshop). SOS - image was compressed.
  6. Structural and String Analysis. When there is no EXIF is useful. FBMD01000a9... indicated web upload (Facebook).

osdf-fakeimages1

This one was processed with Adope, since APP13 is there. Also, JPEG images sometimes contain Comment section.

JPEGSnoop for image tracking extracts embedded info. Identifies “Original Transmission Reference” (number or an id embedded in the image, provided by the creator or image provider used for transmission and tracking purposes).

Based on the compression signature of the cloned image, it generates a list of devices/software, which could have been used for taking the image or creating it. Track the device and model (when no EXIF especially).

Limitation

Magnification blurs the colors so difficult to detect tampering. GPS might not be available with the image was taken from the device which either hasn’t or disabled GPS tracking. Social media strip-off metadata. ❗ JPEG Analysis can identify quantization tables only if image is processed and edited using Adobe.

References

  1. OSDFCon
  2. https://usersearch.org/updates/2022/05/10/how-to-investigate-a-picture-like-an-expert/?amp=1