As you smart forensic analysts have undoubtedly noticed, last week there was no Tip Tuesday. Did we forget? Well, not really… We just realized that no Tip could stand the bright light shone by last Tuesday’s great announcement: the launch of Amped Replay, Amped Software’s newest solution for investigators and frontline officers! If you happened to miss that news read more about it here!
After that, you can enjoy this week’s Tip Tuesday!
If you are working in the digital forensic field, you are certainly aware of the importance of data integrity. Ensuring data integrity means to verify that the information you are working on remains unaltered during the whole process (including transmission and storage of data).
Unfortunately, when it comes to digital images and videos, integrity is more threatened than with other types of files. For example, if you rotate an image using your OS default photo viewer and then close it, the file will likely be overwritten without any advice. While in many cases the changes made to pixels may be “negligible”, the file will still change… which means its hash value will be different. And we know this could invalidate your whole analysis (in the end, another analyst cannot know why the hash is different, it’s just different).
At Amped, we take data integrity very seriously. Our software never overwrites nor moves the evidence file you are working with. But there’s more: Amped FIVE provides you with a seamless way of checking data integrity straight inside your project. And this Tuesday’s Tip tells you how!
Dear Amped friends, welcome to this week’s Tip Tuesday!
In our last Tip we’ve talked about how Amped FIVE users can save time by trimming and cropping the video they’re working on, so to focus the analysis only on interesting parts. Probably, we opted for that topic because February is the shortest month, and it may give you the feeling that time flows away too quickly. Since we can’t stop time, let’s at least save it when possible!
This week is Amped Authenticate‘s turn, so let’s see how we can save time when investigating our digital images. Once more, it’s a matter of focus: to save time, we have to focus the analysis on the right images (i.e., properly select them) and run only the analysis filters that we need on them. We will focus on the first aspect today, and leave the second for a coming-soon Tip.
Digital videos are constantly getting more and more bulky. Nowadays it is not uncommon to work on CCTV footage with resolution above Full-HD, sometimes even 4k. Unfortunately, this huge gain in resolution is often frustrated by extremely aggressive compression (at the end of the day, the video must fit into a DVR hard drive). And there is one more collateral effect of working with hi-res videos: the processing time increases.
Even if you are running Amped FIVE on a powerful computer, you may experience a significant slow-down when applying some filters to your footage. Remember that Amped FIVE processes your video in “live mode”: all filters in the chain are applied on-the-fly, and the result is rendered on the screen. If you feel the video is not playing fast enough, today’s Tuesday Tip is here to help you!
Our suggestion is to focus your analysis on the portion of footage that really matters, both in time and space.
Amped Authenticate users know how important it is to understand the processing history of an image, and they (hopefully!) know that “processing history” does not mean just splicing. For example, there are cases where the image has been scaled or re-compressed, and when one of these happen you should be aware of it, as they bring important consequences to the rest of your investigation.
Amped Authenticate offers many tools for processing history analysis under the Global Analysis filter category. Some of these, for example the DCT Plot, the Correlation Plot, and the JPEG Ghost Plot are… plots! They should be examined carefully, because we know that artifacts like a “comb-shaped” DCT histogram strongly suggests double JPEG compression, and so does a JPEG Ghost Plot with multiple local minima. The problem is… sometimes it’s just hard to see these artifacts, because they are “hidden” in the plot!
Consider the image below: at a first glance, its DCT Plot for DCT Frequency 4 seems rather “smooth”, and you could easily overlook it.
Probably, Tip Tuesday aficionados have already understood the trend: we’re alternating tips for FIVE and Authenticate every week. Well… it is true. And it is intentional!
Today we’re showing you some tips about tracking in Amped FIVE. Tracking an object is a basic, yet non trivial operation lying underneath a lot of Amped FIVE filters. You may want to track an object for annotation purposes, e.g. for having a red circle to follow the circled object as it moves. More frequently, you will be using tracking as a part of Local Stabilization, that is used to keep your object of interest static, so that you are able to view it better and effectively average its pixels over multiple frames.
Regardless of the goal, good tracking is essential to the success of your processing. That is why Amped FIVE features several different ways to track your object of interest:
As Amped Authenticate users hopefully learned during our training courses, authenticating a digital image means much more than attaching a fake/real label to it. In some cases, you may be asked whether the integrity of a questioned digital image is preserved (or broken). In such a case, forgery localization tools should not be your first choice from Authenticate’s powerful arsenal.
Indeed, proving that the integrity of an image is “broken” means demonstrating that the image file is not the original file produced by the acquisition device; instead, it has been processed after acquisition. “What” happened during the processing may even not be of interest, because in some cases broken integrity alone is enough to discard a potential evidence.
That’s why we always stress the importance of tools under Amped Authenticate’s File Analysis category: they are the best way to screen image properties, metadata and coding details looking for unexpected or suspicous elements.
In this post, I’ll share with you a tip that could prove important in your cases: check for un-updated Exif image resolution tags! Let’s take this nice picture from a Sony Xperia XA1 smartphone (formally called G3112), and let’s imagine we are asked to validate its integrity: is this an original file, untouched since acquisition?
Did you know the Amped FIVE interface can be customized to fit your preferences? Perhaps you have two monitors and want to adjust the panels, or prefer a darker application theme? No problem!
My personal preference is to use this layout, with the “darker” theme, as I tend to use only one monitor when using FIVE, but if you do want to re-organize the interface so it is more suited to your work style, each of the panels within the user interface can be moved or hidden from view.
Clone detection (aka “copy-move detection”) is a very important image authentication task. Clones are a special case of image manipulation where part of an image is copied, possibly resized, rotated, sheared, etc., and then pasted to another region of the same image. The two main applications of cloning are:
creating multiple (fake) copies of an object through copy-paste;
removing an object from the scene by covering it with a cloned portion of the background.
This is explained with a very simple example in the image below.
The image forensics research community worked hard to develop techniques for clone detection, and two main approaches have been invented: block-matching and keypoint-matching. As suggested by their names, they are based on two different strategies, briefly explained below.
Split the image in overlapping blocks;
Compute a digest (“descriptor”) for each block, possibly robust to rotation, scaling, compression, etc.;
Search for clusters of matching descriptors.
Detect keypoints (SIFT, SURF, BRISK, etc.) from the image;
Compute keypoint local descriptors;
Search for (clusters of) matching keypoints.
Which one is better? It depends, and we try to explain why with the table below:
So, if your question was: “Do I need a block- or a keypoint– based algorithm for my analysis?”, the answer is: you need both!
That’s why Amped Authenticate features both algorithms under the Local Analysis category: Clones Keypoints and Clones Blocks. Let’s compare their output on the sample image we used in this article:
We see that the cloned seagull (top row) is detected by the Clones Keypoints despite the strong down-scaling applied to the cloned object; such a geometrical transformation is too strong to be detected by Clones Blocks. On the other hand, Clones Blocks successfully detects the cloned background (bottom row), that is not detected by Clones Keypoints because the cloned area is just too flat and it does not contain enough keypoints.
We hope you enjoyed this quick tip! Stay tuned and don’t miss our next #ampedtiptuesday post!
We are present in many industry and partner events worldwide, but unfortunately, we can’t always meet our global customers face to face to show you how to get the most out of your Amped solutions. So we’ve created a new blog series called Tip Tuesday (#ampedtiptuesday). We hope this year will be full of useful tips and tricks for all our solutions.
We will teach you things in Amped FIVE like how to organize and customize the panels, how to use the Assistant, how to use the concatenation in Covert DVR, and the Screen Capture tool.
For Amped Authenticate, you will learn about differences between Clones Blocks and Clones Keypoints, how to find reference images for your case, how to use PRNU on images gathered from social media, and how some minor metadata may tell more than it seems.
And much much more!
If you have suggestions for things you would like to learn about, send them our way!
Our first tip will be published next Tuesday – don’t miss it!