April Fools’ Day has just passed and we hope you didn’t go through any nasty trick! Alas, for people working with digital evidence, the risk of getting fooled by some ambiguous finding is always around the corner. In the case of digital image forensics, among the most frequent pitfalls, we find false positives produced by forgery localization algorithms (that is, when an algorithm marks as manipulated a region that was not so). Today’s Tuesday Tip deals with them and shows how Amped Authenticate helps you rule out some of them.Continue reading
Welcome to this week’s Tip Tuesday! Today we are showing you an interesting, perhaps a bit hidden, functionality of Amped Authenticate. There is no need to introduce the PDF file format: it is surely the most widespread format for sharing digital documents. Therefore, it may easily happen that you have to deal with a PDF containing images and that some of them get questioned.
What would you do in such a case (after realizing that if you drag-and-drop the PDF into Amped Authenticate, nothing happens, because it’s not an image file)? Would you take a screen capture of the picture and work with that? “Nooo!” – I hope you said! Screenshots are evil for image forensics! Ok, you would get some pixels to work with, but you would lose all metadata, you would lose encoding properties, you could be recompressing data… That means you cannot check image integrity, and finding manipulations becomes much harder. No, there’s a better way of dealing with images embedded in PDFs, and we’ll show you how!Continue reading
Dear Amped friends, welcome to this week’s Tip Tuesday!
In our last Tip we’ve talked about how Amped FIVE users can save time by trimming and cropping the video they’re working on, so to focus the analysis only on interesting parts. Probably, we opted for that topic because February is the shortest month, and it may give you the feeling that time flows away too quickly. Since we can’t stop time, let’s at least save it when possible!
This week is Amped Authenticate‘s turn, so let’s see how we can save time when investigating our digital images. Once more, it’s a matter of focus: to save time, we have to focus the analysis on the right images (i.e., properly select them) and run only the analysis filters that we need on them. We will focus on the first aspect today, and leave the second for a coming-soon Tip.Continue reading
Amped Authenticate users know how important it is to understand the processing history of an image, and they (hopefully!) know that “processing history” does not mean just splicing.
For example, there are cases where the image has been scaled or re-compressed, and
when one of these happen you should be aware of it, as they bring important consequences to the rest of your investigation.
Amped Authenticate offers many tools for processing history analysis under the Global Analysis filter category. Some of these, for example the DCT Plot, the Correlation Plot, and the JPEG Ghost Plot are… plots! They should be examined carefully, because we know that artifacts like a “comb-shaped” DCT histogram strongly suggests double JPEG compression, and so does a JPEG Ghost Plot with multiple local minima. The problem is… sometimes it’s just hard to see these artifacts, because they are “hidden” in the plot!
Consider the image below: at a first glance, its DCT Plot for DCT Frequency 4 seems rather “smooth”, and you could easily overlook it.Continue reading
As Amped Authenticate users hopefully learned during our training courses, authenticating a digital image means much more than attaching a fake/real label to it. In some cases, you may be asked whether the integrity of a questioned digital image is preserved (or broken). In such a case, forgery localization tools should not be your first choice from Authenticate’s powerful arsenal.
Indeed, proving that the integrity of an image is “broken” means demonstrating that the image file is not the original file produced by the acquisition device; instead, it has been processed after acquisition. “What” happened during the processing may even not be of interest, because in some cases broken integrity alone is enough to discard a potential evidence.
That’s why we always stress the importance of tools under Amped Authenticate’s File Analysis category: they are the best way to screen image properties, metadata and coding details looking for unexpected or suspicous elements.
In this post, I’ll share with you a tip that could prove important in your cases: check for un-updated Exif image resolution tags! Let’s take this nice picture from a Sony Xperia XA1 smartphone (formally called G3112), and let’s imagine we are asked to validate its integrity: is this an original file, untouched since acquisition?Continue reading
Clone detection (aka “copy-move detection”) is a very important image authentication task. Clones are a special case of image manipulation where part of an image is copied, possibly resized, rotated, sheared, etc., and then pasted to another region of the same image. The two main applications of cloning are:
- creating multiple (fake) copies of an object through copy-paste;
- removing an object from the scene by covering it with a cloned portion of the background.
This is explained with a very simple example in the image below.
The image forensics research community worked hard to develop techniques for clone detection, and two main approaches have been invented: block-matching and keypoint-matching. As suggested by their names, they are based on two different strategies, briefly explained below.
- Split the image in overlapping blocks;
- Compute a digest (“descriptor”) for each block, possibly robust to rotation, scaling, compression, etc.;
- Search for clusters of matching descriptors.
- Detect keypoints (SIFT, SURF, BRISK, etc.) from the image;
- Compute keypoint local descriptors;
- Search for (clusters of) matching keypoints.
Which one is better? It depends, and we try to explain why with the table below:
So, if your question was: “Do I need a block- or a
That’s why Amped Authenticate features both algorithms under the Local Analysis category: Clones Keypoints and Clones Blocks. Let’s compare their output on the sample image we used in this article:
We see that the cloned seagull (top row) is detected by the Clones Keypoints despite the strong down-scaling applied to the cloned object; such a geometrical transformation is too strong to be detected by Clones Blocks. On the other hand, Clones Blocks successfully detects the cloned background (bottom row), that is not detected by Clones Keypoints because the cloned area is just too flat and it does not contain enough keypoints.
We hope you enjoyed this quick tip! Stay tuned and don’t miss our next #ampedtiptuesday post!
The festive season is right around the corner and this is one of our busiest times of the year! Despite this, we’re here with another update to Amped Authenticate just in time for the holidays!
While we’ve included the ability to generate batch processing reports for a while, we’re now introducing an exciting new reporting method designed to make it quicker and easier to report relevant filters.
Not long has passed since the release of Amped Authenticate 10641 but… yes, the next one is already out! Amped Authenticate 11362 is now released with a lot of improvements, including two new filters based on JPEG Dimples, one of the last discoveries of the image forensics scientific community!
Despite many attempts to send JPEG into retirement, today the vast majority of digital images still use it. Amped Authenticate users know that traces left by JPEG compression are a superb asset when it comes to investigating the digital history of an image, as witnessed by the vast JPEG-based toolkit that Authenticate provides: quantization table analysis, JPEG ghosts, inconsistencies in blocking artifacts, double quantization traces in the DCT coefficients, and more.
But JPEG is still full of new surprises nowadays! A few months ago, while Amped was attending (and sponsoring!) the IEEE 2017 International Workshop on Information Forensics and Security (WIFS 2017), a new footprint was presented to the scientific community: JPEG Dimples (click here to see the original work Photo forensics from JPEG dimples by Shruti Agarwal and Prof. Hany Farid).
JPEG Dimples manifest themselves as a grid of slightly brighter/darker pixels, spaced by 8 pixels in each dimension. Like most image forensic fingerprints, even JPEG Dimples are hardly visible by the human eye, but they can be easily detected with a proper algorithm.
But why does this grid appear? And why is it important for our analysis? We’ll answer these questions in detail in a future blog post, however the reason behind JPEG Dimples is rather simple: during the DCT coefficients quantization phase, different operators exist to approximate decimal values to integer values: the round operator (which approximates the decimal number to the nearest integer) the floor operator (approximation to the nearest smaller integer) or the ceil operator (approximation to the nearest bigger integer). The table below shows the difference in approximating a Value (first column) to an integer using round, floor and ceil.
Obviously, using floor tends to produce smaller values in the 8-by-8 DCT block than using round, and the opposite with ceil. And when we go back to the pixel domain, this leads to a slightly darker or brighter pixel on the top-left corner of the pixel block (see example below)! Measuring the presence of this grid will tell us to which degree an image contains the JPEG Dimples footprint.
Now you may be wondering “well, how many cameras will ever be using floor or ceil in place of the more classical round?” Not so few, actually. According to the work presented at WIFS 2017, more than 60% of tested cameras do introduce Dimples. We also carried out an internal evaluation on Amped datasets and numbers were less upsetting, still, we found Dimples in roughly 30% of tested cameras. A footprint with such a spread could not be missing in Amped Authenticate, and so here we are. Continue reading
When using an image as evidence during a court case, the point of view it represents acquires a resonance much stronger than the testimony of a witness. With video, this is even more true, as we may understand the dynamics even from the frames and any additional information which may be gleaned from the audio track.
Nowadays, there are many free and easy tools which can be used to modify pictures with ease, and thus the authentication of images is of paramount importance. But even more importantly, we need to understand how much data there is in an image, in addition to what we can already see.
Read the full article published in Lawyer Monthly.
The filters in the File Analysis group are generally looking at the file’s container to return relevant information about the file. The Social Media Identification filter examines the file for traces of information that may indicate the file’s social media source. The key word here is “may.”
The workflow that I will explain here is typical in the US and Canada. Take from it what you need in order to apply it to your country’s legal system.