Digital Image Forensics: Ways to Investigate Images’ Reliability
Performing Digital Image Forensics Using ExifTool, JPEGsnoop, and Forensically
Living in a world that is getting more and more technologically advanced makes it ridiculously easy to utilise many tools to manipulate things such as digital images. Cutting, cloning, or resizing an image is indirectly a very simple example of digital image manipulation. These acts have been proven challenging to find the originality of those images, especially if the images are in fact evidences of a crime — or let’s say, the result of anti-forensic techniques — . In this case, digital image forensics may be one solution to verify the authenticity and integrity of digital images.
Digital Image Anti-forensics
A picture is worth a thousand words.
The phrase above might indeed be relevant in terms of digital image anti-forensics, as by looking at them with our naked eyes, it is hard to tell whether the pictures are original or not. Sometimes, only editing or performing simple manipulations on the images are not enough. In fact, the acts of anti-forensics include many more advanced techniques which involves image resampling, resizing or rotation, nonlinear filtering, and geometrical distortions to disguise and remove the traces of the manipulation.
For example, the picture of Iran missile in 2008 above looks real enough, doesn’t it? Apparently, it has undergone a heavy manipulation — it shows four missiles, one more than the original one which should display only three — .
It is sometimes difficult to figure out which or what parts of the image that have been modified or manipulated, especially if the acts were previously performed by some experts. However, it is still possible to identify whether there have been manipulations performed on the images, — or even the parts — by using a simple method of digital image forensics.
Digital Image Forensics
One of the approaches to perform image forensics is checking the metadata of the image. Metadata is referred as data about data, and in terms of image data, it usually consists of some simplest type of information, such as the date when a picture is created, size, resolution, etc. Another approach is to identify whether there are parts of the images that are abnormal or looks “edited”. We will discuss some examples of tools usually used to perform simple digital image forensics.
The sample image we will use is the picture below.
We will examine whether and which parts of this image has been manipulated.
ExifTool
As cited from its site, ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files, including Exchangeable Image File Format (Exif), which is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras, smartphones, scanners, etc.
By only dragging the picture we want to examine to ExifTool executable file, we will see the metadata of the picture as shown below.
We can start examining the profile date time — which shows the when the original file is created at the first time and comparing it with file modification date/time.
It turns out that both parameters’ values are different, which may indicate there has been a manipulation after being created or taken for the first time.
Also, if you look closely, there is one parameter that can be a huge proof that the image has been manipulated: the software.
It is said that a software called GIMP may have been involved in this image. In fact, GIMP (GNU Image Manipulation Program) is an open-source graphics editor usually used for image manipulation and image editing. This means there is a high chance that the image has been manipulated, using GIMP.
JPEGsnoop
JPEGsnoop is a detailed JPEG image decoder and analysis tool which can report image metadata and can help identify whether an image has been edited or not. When checking the authenticity of images using JPEGsnoop, the program will eventually result a final output indicating the assessment of the image:
- Class 1: Image is processed/edited
- Class 2: Image has high probability of being processed/edited
- Class 3: Image has high probability of being original
- Class 4: Uncertain if processed or original
Similar to ExifTool, JPEGsnoop also displays some metadata of the picture, including the software, date time variable, and some image encoding calculations.
As said before, the clear advantage of using JPEGsnoop is that it categorizes the assessment into classes, and for this image, the program assesses that the image is identified as Class 1 — Image is processed/edited, which means the image has been manipulated.
Forensically
Forensically is a web-based collection of tools that can be used for digital image forensics, including clone detection, error level analysis, meta data extraction, magnifying functions, noise analysis, etc.
On the right tab, there are many features we can utilise such as magnification, clone detection, error level analysis, noise analysis, level sweep, luminance gradient, and more.
For example, when using Magnification and histogram equalization as enhancement, we can sense that there is some oddness when you hover to the top part of the image.
The rest of the picture has different pixelated levels comparing to the jet white top center part.
And then, when you apply Principal Component Analysis, the top center part has a distinct anomaly and seems to have a very different component composition from the rest of the picture, when you put the color input and projection mode.
Also, when using the Level Sweep feature, the top part of the image displays a weirdly brighter part comparing to the darker rest of the picture. Level Sweep increases the contrast of various light levels and if a part is a result of a copy-paste image, it will show up brighter, just like that part.
Conclusion
As a result of the examination, the picture can be said to have been manipulated in such a way. By using different tools to perform image forensics process, we can gather some different levels of information regarding the manipulation process. For example, by using ExifTool, we can say that the picture has been modified by looking at the difference of “created” and “modification” timestamp, also the software used to edit the image. By using JPEGsnoop, the image can be classified to Class 1, indicating the image has been processed. And by using Forensically, the top center part of the image can be said to have been copy-pasted.
Christovito Hidajat
18218043
II4033 Digital Forensics
References
https://www.researchgate.net/publication/258394548_An_Overview_on_Image_Forensics
