The field of digital image forensics relies on a variety of specialized techniques to uncover hidden manipulations in visual data. In our previous article we discussed using ELA for detection of fragments insertion from the same image or another image. This method also allows examiner to detect other image modifications. For example, image scaling, brightness, contrast and saturation correction, editing with an image editor, and filters usage.
But ELA results interpretation in such cases demands more experience from examiner. The best way to gain it is analysing images with known modifications.
For example, let’s examine blurred background on an image. On figures 1 and 2 you can see the image and its error pattern, on figures 3 and 4 – Gaussian Blur filter usage results.
Figure 1. Original image
Figure 2. Image error pattern
Figure 3. Gaussian Blur filter
Figure 4. Image error pattern
As you can see, error pattern on the first picture is quite homogeneous. Only sky on the pattern has dark colour. Error pattern of compressed images always has dark parts only if the image has homogeneous, without small parts, background.
On modified picture you can clearly see parts with different error pattern. One part is for the monument on the front, the other – for blurred background.
To understand it better, let’s examine an image, where background blurring became the result of using wide aperture (fig. 5, 6).
Figure 5. Background blurring with wide aperture
Figure 6. Image error pattern
Error pattern of such image shows smooth error level changing from front to background. This change corresponds with image sharpness changes because of disposal of focus point. It’s difficult to find smooth changes on original images where background objects are beyond the depth of field. But you will never find such changes in images modified with editors if a mask was used for it.
Sometimes it’s very difficult to interpret ELA results right while examining blurring. The image on figure 7 illustrates an article about making photos with shallow depth of field. But on its error pattern you can clearly see two zones: the first (a tree and a squirrel) resembles sharpness improving results, the other (background) – resembles blurring results.
Figure 7. Original image
Figure 8. Image error pattern
Error Level Analysis
Nowadays Error Level Analysis or ELA has become the most common method for image modification detection. This method is used by lots of both commercial and free tools and web-services [1, 2].
This method is based on the fact that JPEG image compression removes overmuch information about original’s brightness and color [3]. The amount of information being removed depends on compression rate and, of course, signal quantization matrix. If original image compressed only once is quantizated by the same matrix as the original, modified image won’t be different from the original. But if the original image is saved in JPEG a number of times, there will be significant differences between the original and modified image [4]. The result of ELA is error pattern, which shows differences between the original and modified image. The aim of the forensic examiner is to interpret error pattern right.
This method works very well for modification detection in images created from fragments with different error level (fig. 9, 10).
Figures 9,10. Modified image and its error pattern
But if fragments are taken from files with the same error level or are cloned from the same image, such analysis won’t bring good results, especially when your tool doesn’t allow to choose compression rate value for calculating error pattern (fig. 11, 12, 13).
Figure 11. An image compressed with 85 quality created from fragments of an image with 50 quality
Figure 12. Error pattern calculated for 85 quality
Figure 13. Error pattern calculated for 50 quality. Now we can see cloned fragments
The chances of successful modification detection depend on technique of editing used. For example, if fragment was pasted in a cropped image which wasn’t saved in between, reliability of the method decreases. The same can be said about highly compressed images.
About the authors:
Serge Petrov
Interests: Digital Video Forensics, Forgery Detection, Audio Forensics
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
References:
- AMPED software. Authenticate. https://ampedsoftware.com/authenticate
- Fotoforensics. http://fotoforensics.com/
- Joint Photographic Experts Group. https://jpeg.org
- A Picture’s Worth: Digital Image Analysis and Forensics. Dr. Neal Krawetz, Hacker Factor Solutions, August 2007. Presented at the Black Hat Briefings 2007. https://www.blackhat.com/presentations/bh-dc-08/Krawetz/Whitepaper/bh-dc-08-krawetz-WP.pdf
