Not long has passed since the release of Amped Authenticate 10641 but… yes, the next one is already out! Amped Authenticate 11362 is now released with a lot of improvements, including two new filters based on JPEG Dimples, one of the last discoveries of the image forensics scientific community!
Despite many attempts to send JPEG into retirement, today the vast majority of digital images still use it. Amped Authenticate users know that traces left by JPEG compression are a superb asset when it comes to investigating the digital history of an image, as witnessed by the vast JPEG-based toolkit that Authenticate provides: quantization table analysis, JPEG ghosts, inconsistencies in blocking artifacts, double quantization traces in the DCT coefficients, and more.
But JPEG is still full of new surprises nowadays! A few months ago, while Amped was attending (and sponsoring!) the IEEE 2017 International Workshop on Information Forensics and Security (WIFS 2017), a new footprint was presented to the scientific community: JPEG Dimples (click here to see the original work Photo forensics from JPEG dimples by Shruti Agarwal and Prof. Hany Farid).
JPEG Dimples manifest themselves as a grid of slightly brighter/darker pixels, spaced by 8 pixels in each dimension. Like most image forensic fingerprints, even JPEG Dimples are hardly visible by the human eye, but they can be easily detected with a proper algorithm.
But why does this grid appear? And why is it important for our analysis? We’ll answer these questions in detail in a future blog post, however the reason behind JPEG Dimples is rather simple: during the DCT coefficients quantization phase, different operators exist to approximate decimal values to integer values: the round operator (which approximates the decimal number to the nearest integer) the floor operator (approximation to the nearest smaller integer) or the ceil operator (approximation to the nearest bigger integer). The table below shows the difference in approximating a Value (first column) to an integer using round, floor and ceil.
Obviously, using floor tends to produce smaller values in the 8-by-8 DCT block than using round, and the opposite with ceil. And when we go back to the pixel domain, this leads to a slightly darker or brighter pixel on the top-left corner of the pixel block (see example below)! Measuring the presence of this grid will tell us to which degree an image contains the JPEG Dimples footprint.
Now you may be wondering “well, how many cameras will ever be using floor or ceil in place of the more classical round?” Not so few, actually. According to the work presented at WIFS 2017, more than 60% of tested cameras do introduce Dimples. We also carried out an internal evaluation on Amped datasets and numbers were less upsetting, still, we found Dimples in roughly 30% of tested cameras. A footprint with such a spread could not be missing in Amped Authenticate, and so here we are.
Global detection of JPEG Dimples
In Amped Authenticate 11362, the user can easily check for the presence of JPEG Dimples in the image using the novel JPEG Dimples filter, under the Global Analysis category. The filter will tell the measured “strength” of the footprint and compare with the suggested threshold (13.0, as suggested by original authors) to decide whether the image contains or not JPEG Dimples. Moreover, the offset of the 8-by-8 grid with respect to the top-left corner of the image is shown.
This filter helps the analyst reconstruct the processing history of the image, for example:
- presence/absence of dimples could be consistent/inconsistent with the camera model declared in Exif metadata;
- presence of dimples reasonably rules out the hypothesis that the image has been resized (because the grid will no longer be detected after resizing, except very rare situations);
- presence of dimples together with a strange offset may suggest that cropping has occurred;
- presence of dimples in an image stored in an uncompressed format is a clear hint of previous compression carried out by a camera (because software themselves do not introduce dimples).
As usual, all the above points gain robustness when a set of sample images from the same camera model to compare with can be obtained… just click on Tools – Search Images From Same Camera Model and you’re done!
Forgery localization based on JPEG Dimples
The JPEG Dimples grid can be also used as an “unintended authentication watermark” to perform forgery localization: indeed, given an image affected by Dimples, if someone tampers with a region of the image it will likely destroy the 8×8 Dimples grid. Thus, in such images, we can locally search for the presence of the grid and create a forgery localization map: regions where dimples are not present are considered suspect.
The JPEG Dimples Map filter, under the Local Analysis category, implements such a forgery localization algorithm. The user can choose the size of the sliding window over which presence of JPEG Dimples is evaluated. Compared to other forgery localization filters, the JPEG Dimples Map is rather quick: analyzing a 14 Megapixel image takes about 6 seconds on a standard laptop. Moreover, the produced forgery localization maps are fine-grained, as shown in the figure below where the extinguisher and the corresponding sign were both pasted into the image.
Like most forgery localization filters, the JPEG Dimples Map suffers from regions that are saturated to black or white or strongly textured, because the dimples grid is poorly measurable there. Therefore, we included the common “Show Saturation” tool in the bottom bar for this filter.
A much more detailed blog post on JPEG Dimples will come soon, stay tuned!
Improved JPEG HT filter
Huffman Tables (HT) are a part of JPEG coding that is usually overlooked in image forensics, because HTs diversity is not comparable to that of Quantization Tables (so they’re not as powerful to identify the originating camera model), and because they are a lossless part of the encoding chain (no traces of HTs are left in the pixels/coefficients). However, HTs can tell more than it seems.
The most interesting fact in HTs is whether they are standard (that is, those suggested in the IJG ITU.T81 Annex K) or optimized. Computing optmized HTs allows saving some disk space at the cost of extra processing time, while image quality is totally unaffected. Until today, Amped Authenticate users could look at some details about JPEG HTs in the image, but they had to manually check whether tables were standard… quite an annoying job! Now, Authenticate 11362 takes the burden and explicitly tells the user whether each of the HTs in the JPEG file is standard or not.
In the example below, Huffman Tables for a Photoshopped image (evidence columns) and for the original version of the image (reference columns) are shown. Notice that in the forged image tables are non-standard (they have been optimized), as highlighted by rows 7, 14, and 21.
In practice, most cameras and smartphones just stick to standard HTs when capturing images, while editing software make extensive use of HT optimization. Therefore, we’ve also added a test in the File Format filter that warns the user when optimized tables are found in the image.
Social Media Identification now also checks filenames
The Social Media Identification filter is a recent tool, and we already have an improvement for it. The filter now has an additional output row called “Optional message“: this row is used to
- tell the user whether the image filename happens to be compatible with the naming scheme of some of the known social media platforms;
- warn the user when the analyzed image is at low resolution, since the false positive rate increases for such images.
Consider the image in the example below, that has been downloaded from Flickr using the “download original version” link.
When you download the original, Flickr sends you the camera original file originally uploaded by the user (the hash is the same); thus, the Social Media Identification tool correctly concludes that the image is likely not processed by a Social Media Platform (yes, the word “processed” has been added in this release). Still, we’ve downloaded it from Flickr… The only way we have to understand it is by looking at the file name, and that’s what the novel “Optional message” feature does in this case!
More novel features:
- The GUI now shows the camera make and model (when available from Exif metadata) in the top bar;
- PRNU filters now compute the hash file of the Camera Reference Pattern (CRP) and use it to store results to cache, so if you have more than one CRP file with the same name the filter will not confuse cached files;
- Improved speed and stability for all table filters (Exif, JPEG QT, JPEG HT, JPEG Dimples, Social Media Identification);
- The user can now set the threshold for PRNU camera identification in the program options;
- The user can now decide to hide best matching parameters for negative compatibility in the program options (useful for simplifying the output of JPEG Dimples and PRNU Identification);
- PRNU Identification: fixed a bug that caused images with empty make-model metadata to be excluded from usable images for CRP creation. Now they get excluded only if exif make/model tags are non-empty and different than those of the reference image;
- Clones Keypoints: now works even with images with more than 2^18 keypoints;
- Search Images From Same Camera Model: fixed a bug that was causing reference image (instead of evidence image) metadata to be used for filling the user query dialog.
- Color Channels: fixed a bug that was causing swapped Cb and Cr components in the YCbCr representation.
- Batch File Format Analysis: fixed a bug that prevented the “Load As Evidence” and “Load As Reference” menu entries to work for languages different than English.
Don’t Delay – Update Today
If you have an active support plan you can update straight away by going into the menu “Help” > “Check for Updates Online” within Amped Authenticate. If you need to renew your SMS plan, please contact us or one of our authorized partners.