Author Archives: Marco Fontani

Amped Authenticate & Griffeye Analyze DI Pro: a synergy that empowers forensic analysts!

The partnership between Amped Software and Griffeye keeps growing and so does the integration between Griffeye Analyze DI Pro and Amped Authenticate. Analyze DI Pro is a media investigation software for handling large volumes of images and videos, filter irrelevant digital files, prioritize, correlate and identify the most pertinent material in investigations. It will let you scan and import data from a device or from a folder on your workstation. Once the import is complete, you can easily browse and intelligently sort/filter media.

In this post, we’ll take a look at what Griffeye Analyze DI Pro enables you to do when linked with the Amped Authenticate plugins. Let’s create a case and import a folder containing a few JPEG files.

Analyze DI Pro lets you look at image metadata, and Amped Authenticate users know how interesting they are, but, we also know that a single image may contain hundreds of Exif metadata, and reading all of them is quite a boring job. Luckily, from the very same panel above we can call in Amped Authenticate File Format Analysis to automatically spot suspicious metadata. Once you installed Authenticate and the corresponding plugin in Analyze DI Pro, this is just as simple as right-clicking on one or all the images and then hit the “Plugin” voice and select “Amped Authenticate – File Format Analysis” from the pop-up list as shown below.

Continue reading

Improved PRNU-Based Forgery Localization

In a past post, we presented several improvements we did to Amped Authenticate’s Camera Identification filter based on PRNU analysis. Those improvements propagated also to the PRNU Tampering filter so that Amped Authenticate also features an improved algorithm for forgery localization. Improvements mainly include:

Peak-to-Correlation Energy-based (PCE) analysis
During block-based analysis, the PCE is computed and the point yielding the maximum PCE value (peak) is considered. If the peak is in the expected position, the block is considered authentic; if the peak is in a different position, then the PCE value is compared with a threshold to decide the authenticity of the block.

Support for multi-core processing
If your CPU features multiple logical cores, block-based analysis will run in parallel, thus reducing the computation time.

Faster, easier training
Thanks to PCE robustness, there is no need to train a separate model for forgery detection: you can use the same .crp file created for Camera Identification.

Forgery localization for cropped images
If the image is cropped and/or rotated before or after manipulation, the PRNU Tampering filter will detect cropping, compensate for it and run the forgery localization algorithm. The same applies to resizing and/or rotation. Combination of resizing and cropping is not supported yet.

Alert for unreliable regions
PRNU-based forgery localization is not reliable in saturated areas (i.e., totally white or black regions of the image). Indeed, for those pixels, it is impossible to discriminate between the image content and the actual sensor noise. The new version of PRNU-based forgery localization enables highlighting of white and black saturated pixels (marked in yellow and blue, respectively), in order to help the analyst rule out false alarms. Continue reading

Experimental validation of Amped Authenticate’s Camera Identification filter

We tested the latest implementation (Build 8782) of PRNU-based Camera Identification and Tampering Localization on a “base dataset” of 10.069 images, coming from 29 devices (listed in the table below). We split the dataset in two:
– Reference set: 1450 images (50 per device) were used for CRP estimation
– Test set: 8619 images were used for testing. On average, each device was tested against approximately 150 matching images and approximately 150 non-matching images.

It is important to understand that, in most cases, we could not control the image creation process. This means that images may have been captured using digital zoom or at resolutions different than the default one, which makes PRNU analysis ineffective. Making use of EXIF metadata, we could filter out these images from the Reference set. However, we chose not to filter out such images from the Test set: we prefer showing results that are closer to real-world cases, rather than tricking the dataset to obtain 100% performance.

Using the above base dataset, we carried out several experiments:
– Experiment 1) testing the system on images “as they are”
– Experiment 2) camera identification in presence or rotation, resize and JPEG re-compression
– Experiment 3) camera identification in presence of cropping, rotation and JPEG re-compression
– Experiment 4) discriminating devices of the same model
– Experiment 5) investigating the impact of the number of images used for CRP computation.

Continue reading

PRNU-based Camera Identification in Amped Authenticate

Source device identification is a key task in digital image investigation. The goal is to link a digital image to the specific device that captured it, just like they do with bullets fired by a specific gun (indeed, image source device identification is also known as “image ballistics”).

The analysis of Photo Response Non-Uniformity (PRNU) noise is considered the prominent approach to accomplish this task. PRNU is a specific kind of noise introduced by the CMOS/CCD sensor of the camera and is considered to be unique to each sensor. Being a multiplicative noise, it cannot be effectively eliminated through internal processing, so it remains hidden in pixels, even after JPEG compression.

In order to test if an image comes from a given camera, first, we need to estimate the Camera Reference Pattern (CRP), characterizing the device. This is done by extracting the PRNU noise from many images captured by the camera and “averaging” it (let’s not dive too deep into the details). The reason for using several images is to get a more reliable estimate of the CRP, since separating PRNU noise from image content is not a trivial task, and we want to retain PRNU noise only.

After the CRP is computed and stored, we can extract the PRNU noise from a test image and “compare” it to the CRP: if the resulting value is over a given threshold, we say the image is compatible with the camera.

Camera identification through PRNU analysis has been part of Amped Authenticate for quite some time. However, many of our users told us that the filter was hard to configure, and results were not easy to interpret. So, since the end of last year, a new implementation of the algorithm was added (Authenticate Build 8782). The new features included:

Advanced image pre-processing during training
In order to lower false alarms probability, we implemented new filtering algorithms to remove artifacts that are not discriminative, something that is common with most digital cameras (e.g., artifacts due to Color Filter Array demosaicking interpolation).

Continue reading

Amped at the GTTI 2017 Thematic Meeting on Multimedia Signal Processing

Today we presented our products Amped FIVE and Amped Authenticate at the GTTI 2017 Thematic Meeting on Multimedia Signal Processing. The meeting gathered 50+ people from Italian universities and research labs. We got lots of attention and many hints that will help improve our products in the future – stay tuned!

AMPED Software at the DEMO session of the GTTI-MMSP meeting

 

 

Digging out the processing history of an image with the Correlation Plot

In the recent post detailing the latest release of Amped Authenticate, 7644, we highlighted the new functionality included in the Correlation Plot.

When it comes to investigating a digital image, it is fundamental to understand as much as possible about its processing history. The more we know about the digital history of the image, the better we can design our way towards authentication. For example, we can properly choose which filters make sense to use and which not. Not only that, we may also find that some processing was carried that seriously undermine the integrity of the image, or gather evidence supporting authenticity of the image.

The Correlation Plot is a powerful tool in Amped Authenticate for detecting traces left by many different processing operations. It has been part of Authenticate for some time, but we recently worked hard to make its output easier to interpret and understand.

Before looking at the enhancements, what does the correlation plot do?

Image 4

The Correlation Plot, with some new additions!

Continue reading