Author Archives: Marco Fontani

Trim, Crop and Watch Processing Time Drop!

Digital videos are constantly getting more and more bulky. Nowadays it is not uncommon to work on CCTV footage with resolution above Full-HD, sometimes even 4k. Unfortunately, this huge gain in resolution is often frustrated by extremely aggressive compression (at the end of the day, the video must fit into a DVR hard drive). And there is one more collateral effect of working with hi-res videos: the processing time increases.

Even if you are running Amped FIVE on a powerful computer, you may experience a significant slow-down when applying some filters to your footage. Remember that Amped FIVE processes your video in “live mode”: all filters in the chain are applied on-the-fly, and the result is rendered on the screen. If you feel the video is not playing fast enough, today’s Tuesday Tip is here to help you!


Our suggestion is to focus your analysis on the portion of footage that really matters, both in time and space.

Continue reading

Log-Scale: A Great Ally for Plot Interpretation!

Amped Authenticate users know how important it is to understand the processing history of an image, and they (hopefully!) know that “processing history” does not mean just splicing.
For example, there are cases where the image has been scaled or re-compressed, and
when one of these happen you should be aware of it, as they bring important consequences to the rest of your investigation.

Amped Authenticate offers many tools for processing history analysis under the Global Analysis filter category. Some of these, for example the DCT Plot, the Correlation Plot, and the JPEG Ghost Plot are… plots! They should be examined carefully, because we know that artifacts like a “comb-shaped” DCT histogram strongly suggests double JPEG compression, and so does a JPEG Ghost Plot with multiple local minima. The problem is… sometimes it’s just hard to see these artifacts, because they are “hidden” in the plot!

Consider the image below: at a first glance, its DCT Plot for DCT Frequency 4 seems rather “smooth”, and you could easily overlook it.

Continue reading

Static & Dynamic Tracking: never miss your object(ive)!

Probably, Tip Tuesday aficionados have already understood the trend: we’re alternating tips for FIVE and Authenticate every week. Well… it is true. And it is intentional!

Today we’re showing you some tips about tracking in Amped FIVE. Tracking an object is a basic, yet non trivial operation lying underneath a lot of Amped FIVE filters. You may want to track an object for annotation purposes, e.g. for having a red circle to follow the circled object as it moves. More frequently, you will be using tracking as a part of Local Stabilization, that is used to keep your object of interest static, so that you are able to view it better and effectively average its pixels over multiple frames.

Regardless of the goal, good tracking is essential to the success of your processing. That is why Amped FIVE features several different ways to track your object of interest:

  • Manual tracking
  • Static tracking
  • Dynamic tracking
Continue reading

Exif Metadata Sometimes Tells More Than it Seems

As Amped Authenticate users hopefully learned during our training courses, authenticating a digital image means much more than attaching a fake/real label to it. In some cases, you may be asked whether the integrity of a questioned digital image is preserved (or broken). In such a case, forgery localization tools should not be your first choice from Authenticate’s powerful arsenal.

Indeed, proving that the integrity of an image is “broken” means demonstrating that the image file is not the original file produced by the acquisition device; instead, it has been processed after acquisition. “What” happened during the processing may even not be of interest, because in some cases broken integrity alone is enough to discard a potential evidence.

That’s why we always stress the importance of tools under Amped Authenticate’s File Analysis category: they are the best way to screen image properties, metadata and coding details looking for unexpected or suspicous elements.

In this post, I’ll share with you a tip that could prove important in your cases: check for un-updated Exif image resolution tags! Let’s take this nice picture from a Sony Xperia XA1 smartphone (formally called G3112), and let’s imagine we are asked to validate its integrity: is this an original file, untouched since acquisition?

Continue reading

Clones Blocks and Clones Keypoints: which one is better?

Clone detection (aka “copy-move detection”) is a very important image authentication task. Clones are a special case of image manipulation where part of an image is copied, possibly resized, rotated, sheared, etc., and then pasted to another region of the same image. The two main applications of cloning are:

  • creating multiple (fake) copies of an object through copy-paste;
  • removing an object from the scene by covering it with a cloned portion of the background.

This is explained with a very simple example in the image below.

Two possible ways of using copy-move to create a fake image.

The image forensics research community worked hard to develop techniques for clone detection, and two main approaches have been invented: block-matching and keypoint-matching. As suggested by their names, they are based on two different strategies, briefly explained below.

Block-matching approach

  1. Split the image in overlapping blocks;
  2. Compute a digest (“descriptor”) for each block, possibly robust to rotation, scaling, compression, etc.;
  3. Search for clusters of matching descriptors.

Keypoint-matching approach

  1. Detect keypoints (SIFT, SURF, BRISK, etc.) from the image;
  2. Compute keypoint local descriptors;
  3. Search for (clusters of) matching keypoints.

Which one is better? It depends, and we try to explain why with the table below:

So, if your question was: “Do I need a block- or a keypoint– based algorithm for my analysis?”, the answer is: you need both!

That’s why Amped Authenticate features both algorithms under the Local Analysis category: Clones Keypoints and Clones Blocks. Let’s compare their output on the sample image we used in this article:

We see that the cloned seagull (top row) is detected by the Clones Keypoints despite the strong down-scaling applied to the cloned object; such a geometrical transformation is too strong to be detected by Clones Blocks. On the other hand, Clones Blocks successfully detects the cloned background (bottom row), that is not detected by Clones Keypoints because the cloned area is just too flat and it does not contain enough keypoints.

We hope you enjoyed this quick tip! Stay tuned and don’t miss our next #ampedtiptuesday post!

Amped Authenticate Update 11362: JPEG Dimples, Improved JPEG HT, Social Media Identification, and much more!

Not long has passed since the release of Amped Authenticate 10641 but… yes, the next one is already out! Amped Authenticate 11362 is now released with a lot of improvements, including two new filters based on JPEG Dimples, one of the last discoveries of the image forensics scientific community!

JPEG Dimples

Despite many attempts to send JPEG into retirement, today the vast majority of digital images still use it. Amped Authenticate users know that traces left by JPEG compression are a superb asset when it comes to investigating the digital history of an image, as witnessed by the vast JPEG-based toolkit that Authenticate provides: quantization table analysis, JPEG ghosts, inconsistencies in blocking artifacts, double quantization traces in the DCT coefficients, and more.

But JPEG is still full of new surprises nowadays! A few months ago, while Amped was attending (and sponsoring!) the IEEE 2017 International Workshop on Information Forensics and Security (WIFS 2017), a new footprint was presented to the scientific community: JPEG Dimples (click here to see the original work Photo forensics from JPEG dimples by Shruti Agarwal and Prof. Hany Farid).

JPEG Dimples manifest themselves as a grid of slightly brighter/darker pixels, spaced by 8 pixels in each dimension. Like most image forensic fingerprints, even JPEG Dimples are hardly visible by the human eye, but they can be easily detected with a proper algorithm.

But why does this grid appear? And why is it important for our analysis? We’ll answer these questions in detail in a future blog post, however the reason behind JPEG Dimples is rather simple: during the DCT coefficients quantization phase, different operators exist to approximate decimal values to integer values: the round operator (which approximates the decimal number to the nearest integer) the floor operator (approximation to the nearest smaller integer) or the ceil operator (approximation to the nearest bigger integer). The table below shows the difference in approximating a Value (first column) to an integer using round, floor and ceil.

Value Round Floor Ceil
9.8 10 9 10
6.3 6 6 7
4.5 5 4 5
-7.3 -7 -8 -7

Obviously, using floor tends to produce smaller values in the 8-by-8 DCT block than using round, and the opposite with ceil. And when we go back to the pixel domain, this leads to a slightly darker or brighter pixel on the top-left corner of the pixel block (see example below)! Measuring the presence of this grid will tell us to which degree an image contains the JPEG Dimples footprint.

Image showing Dimples

Example of an image showing strong JPEG Dimples

Now you may be wondering “well, how many cameras will ever be using floor or ceil in place of the more classical round?” Not so few, actually. According to the work presented at WIFS 2017, more than 60% of tested cameras do introduce Dimples. We also carried out an internal evaluation on Amped datasets and numbers were less upsetting, still, we found Dimples in roughly 30% of tested cameras. A footprint with such a spread could not be missing in Amped Authenticate, and so here we are. Continue reading

Amped Authenticate & Griffeye Analyze DI Pro: a synergy that empowers forensic analysts!

The partnership between Amped Software and Griffeye keeps growing and so does the integration between Griffeye Analyze DI Pro and Amped Authenticate. Analyze DI Pro is a media investigation software for handling large volumes of images and videos, filter irrelevant digital files, prioritize, correlate and identify the most pertinent material in investigations. It will let you scan and import data from a device or from a folder on your workstation. Once the import is complete, you can easily browse and intelligently sort/filter media.

In this post, we’ll take a look at what Griffeye Analyze DI Pro enables you to do when linked with the Amped Authenticate plugins. Let’s create a case and import a folder containing a few JPEG files.

Analyze DI Pro lets you look at image metadata, and Amped Authenticate users know how interesting they are, but, we also know that a single image may contain hundreds of Exif metadata, and reading all of them is quite a boring job. Luckily, from the very same panel above we can call in Amped Authenticate File Format Analysis to automatically spot suspicious metadata. Once you installed Authenticate and the corresponding plugin in Analyze DI Pro, this is just as simple as right-clicking on one or all the images and then hit the “Plugin” voice and select “Amped Authenticate – File Format Analysis” from the pop-up list as shown below.

Continue reading

Improved PRNU-Based Forgery Localization

In a past post, we presented several improvements we did to Amped Authenticate’s Camera Identification filter based on PRNU analysis. Those improvements propagated also to the PRNU Tampering filter so that Amped Authenticate also features an improved algorithm for forgery localization. Improvements mainly include:

Peak-to-Correlation Energy-based (PCE) analysis
During block-based analysis, the PCE is computed and the point yielding the maximum PCE value (peak) is considered. If the peak is in the expected position, the block is considered authentic; if the peak is in a different position, then the PCE value is compared with a threshold to decide the authenticity of the block.

Support for multi-core processing
If your CPU features multiple logical cores, block-based analysis will run in parallel, thus reducing the computation time.

Faster, easier training
Thanks to PCE robustness, there is no need to train a separate model for forgery detection: you can use the same .crp file created for Camera Identification.

Forgery localization for cropped images
If the image is cropped and/or rotated before or after manipulation, the PRNU Tampering filter will detect cropping, compensate for it and run the forgery localization algorithm. The same applies to resizing and/or rotation. Combination of resizing and cropping is not supported yet.

Alert for unreliable regions
PRNU-based forgery localization is not reliable in saturated areas (i.e., totally white or black regions of the image). Indeed, for those pixels, it is impossible to discriminate between the image content and the actual sensor noise. The new version of PRNU-based forgery localization enables highlighting of white and black saturated pixels (marked in yellow and blue, respectively), in order to help the analyst rule out false alarms. Continue reading

Experimental validation of Amped Authenticate’s Camera Identification filter

We tested the latest implementation (Build 8782) of PRNU-based Camera Identification and Tampering Localization on a “base dataset” of 10.069 images, coming from 29 devices (listed in the table below). We split the dataset in two:
– Reference set: 1450 images (50 per device) were used for CRP estimation
– Test set: 8619 images were used for testing. On average, each device was tested against approximately 150 matching images and approximately 150 non-matching images.

It is important to understand that, in most cases, we could not control the image creation process. This means that images may have been captured using digital zoom or at resolutions different than the default one, which makes PRNU analysis ineffective. Making use of EXIF metadata, we could filter out these images from the Reference set. However, we chose not to filter out such images from the Test set: we prefer showing results that are closer to real-world cases, rather than tricking the dataset to obtain 100% performance.

Using the above base dataset, we carried out several experiments:
– Experiment 1) testing the system on images “as they are”
– Experiment 2) camera identification in presence or rotation, resize and JPEG re-compression
– Experiment 3) camera identification in presence of cropping, rotation and JPEG re-compression
– Experiment 4) discriminating devices of the same model
– Experiment 5) investigating the impact of the number of images used for CRP computation.

Continue reading

PRNU-based Camera Identification in Amped Authenticate

Source device identification is a key task in digital image investigation. The goal is to link a digital image to the specific device that captured it, just like they do with bullets fired by a specific gun (indeed, image source device identification is also known as “image ballistics”).

The analysis of Photo Response Non-Uniformity (PRNU) noise is considered the prominent approach to accomplish this task. PRNU is a specific kind of noise introduced by the CMOS/CCD sensor of the camera and is considered to be unique to each sensor. Being a multiplicative noise, it cannot be effectively eliminated through internal processing, so it remains hidden in pixels, even after JPEG compression.

In order to test if an image comes from a given camera, first, we need to estimate the Camera Reference Pattern (CRP), characterizing the device. This is done by extracting the PRNU noise from many images captured by the camera and “averaging” it (let’s not dive too deep into the details). The reason for using several images is to get a more reliable estimate of the CRP, since separating PRNU noise from image content is not a trivial task, and we want to retain PRNU noise only.

After the CRP is computed and stored, we can extract the PRNU noise from a test image and “compare” it to the CRP: if the resulting value is over a given threshold, we say the image is compatible with the camera.

Camera identification through PRNU analysis has been part of Amped Authenticate for quite some time. However, many of our users told us that the filter was hard to configure, and results were not easy to interpret. So, since the end of last year, a new implementation of the algorithm was added (Authenticate Build 8782). The new features included:

Advanced image pre-processing during training
In order to lower false alarms probability, we implemented new filtering algorithms to remove artifacts that are not discriminative, something that is common with most digital cameras (e.g., artifacts due to Color Filter Array demosaicking interpolation).

Continue reading