Amped Authenticate’s PRNU Tampering Filter Turns Sensor Noise Into an Effective Forgery Localization Tool!

Hello, dear friends! This week’s tip is about Amped Authenticate‘s PRNU Tampering filter. We’ll see that, besides being used for source camera identification, PRNU noise can be a powerful tool to spot manipulated regions. Keep reading to find out more!

Photo Response Non-Uniformity (PRNU) noise is one of the hottest tools in image forensics, with its ability to reliably link an image to the exemplar device that captured it. In our blog, we’ve dedicated a lot of articles and tips to source identification, and Amped Authenticate’s PRNU Identification filter continues to constantly evolve. If you’ve never heard about PRNU noise and source device identification, take a look here!

PRNU analysis, however, enables other applications, not just source camera identification. For example, it can be used for forgery localization! Let’s use a practical case to guide you in the rest of this tip. We are asked to investigate whether this image is authentic or not. (Click on the button below to download the file in case you want to play with it!)

The image is provided within a memory drive containing other images, in case they could be helpful.

We load the image in Amped Authenticate and notice several warnings in the File Format filter.

Noticeably, the image has a strange aspect ratio, which could suggest it has been cropped. Moreover, the Exif metadata candidly declare it was saved with GIMP, years after the acquisition date.

Now, let’s check whether the images that were provided may help. With the Batch File Format Comparison tool (available under the Tools menu) we see that, according to Exif metadata, the other available images have been captured with the same device model.

We can reasonably use them to create a Camera Reference Pattern (CRP)! It’s a kind of fingerprint of the device’s imaging sensor, unique to that device. We just need to put these reference images in a folder, load one of them, go to the PRNU Identification filter, and click on the Create PRNU Reference Pattern button.

“Hey, but we’re not asked to attribute the image to the device!”, you may be thinking. Wait, that’s not our primary intention. But of course, we can now check how the image in question relates to this freshly created CRP file. We just need to load our questioned image after the CRP is created.

Interestingly, we see a high PCE Value, which suggests the image was actually captured by the same exemplar that took reference pictures. But Amped Authenticate detected that cropping occurred: some columns of pixels are missing from both sides of the image.

But PRNU analysis can do more than this, and that’s where the PRNU Tampering filter enters the game. Since we have a valid CRP file for this image, we can process the image block-wise, and check whether each block matches the expected sensor noise in that position. If some pixels were manipulated, we expect the sensor noise to be inconsistent with the device’s noise in that specific region.

All of the above is done easily with the PRNU Tampering filter, under the Local Analysis category. We just click and wait for the result to come! To save you some clicks, Amped Authenticate sets the PRNU CRP File input parameter to the same file loaded in the PRNU Identification filter, if any.

Here we are! We see a large suspicious red blob at the bottom of the image, plus some “spurious” red stains here and there. With some experience, we can safely mark most tiny red stains as false positives (PRNU matching fails more likely when computed on small blocks instead of the whole image), but there’s no such justification for the large blob at the bottom: something was likely changed there!

It’s worth observing that the PRNU Tampering filter automatically compensated for the cropped pixels: it first identified which sub-part of the camera sensor had to be used for comparison, and then compared blocks. Clever, isn’t it?

Now we want to further investigate that suspicious blob. We know the image is a JPEG file, and we know it has been cropped: these two facts together give us some legitimate hope that the Not Aligned Double JPEG (NADJPEG) filter could locate the manipulated area! And that’s indeed the case!

Notice we had to increase the Number of DCT Modes since this image is stored at very high JPEG quality (100%, as it is shown in the top bar).

That’s it! Within a short time, we were able to gather findings that support the hypothesis that the image is not authentic. Moreover, we have a plausible hypothesis about its lifecycle:

  • the image was originally captured with the same device used for the reference images, a Samsung smartphone in July 2013;
  • it was cropped, removing pixels on the left and right borders;
  • it was edited, probably to hide something that was on the ground;
  • eventually, it was saved as JPEG using the GIMP image manipulation software in May 2020.

And since this is an instructional case… here you have the so-called “ground truth”, that is, the original image! The image was indeed cropped so to remove the black clothes on the left and right sides of the image, and the black shoes were removed with the clone and healing tools.

As you can see, with Amped Authenticate you can get much more than a “fancy forgery map”. Who attends our Amped Authenticate training course faces cases like this, and even more challenging ones: take a look at the incoming sessions here!

We hope you enjoyed this Tuesday tip! Stay tuned and don’t miss the next ones. You can also follow us on LinkedIn, Twitter, Facebook or YouTube: we’ll post a link to every new Tip Tuesday so you won’t miss any!