Photo Forensics: Detect Photoshop Manipulation with Error Level Analysis

http://resources.infosecinstitute.com

Introduction Error Level Analysis is a forensic method to identify portions of an image with a different level of compression. The technique could be used to determine if a picture has been digitally modified. To better understand the techniques, it’s necessary to deepen the JPEG compression technique.

JPEG (Joint Photographic Experts Group) is a method of lossy compression for digital images. It’s a data encodingalgorithm that compresses data by discarding (losing) some of it. The level of compression could be chosen as a reasonable compromise between picture size and image quality. A JPEG compression scale is usually 10:1.

The JPEG algorithm works on image grids, compressed independently, having a size of 8×8 pixels. The 8X8 dimension was chosen after numerous experiments with other sizes, any matrices of sizes greater than 8 X 8 are harder to be mathematically manipulated or not supported by hardware, meanwhile any matrices of sizes less than 8 X 8 don’t have enough information. They result in poor quality compressed images.

For images not digitally modified, all 8×8 grids should have a similar error level, resaving the picture. Each square should degrade at approximately the same rate, due to the introduction of an homogeneous amount of errors across the entire image. In a modified image, the altered grid should be at a higher error potential in respect to remaining part of the image.

Image manipulation and analysis

In August 2007, Dr. Neal Krawetz made an interesting presentation during the Black Hat conference titled “A Picture’s Worth.” It involved determing if a picture is real, or of a computer modification. Error Level Analysis (ELA) is one of the simpler methods presented by the researcher. In 2010, Pete Ringwood created the “errorlevelanalysis.com” website as a free service where people could submit photos and web pictures for analysis. The site was later closed. Hacker Factor has recreated the service “fotoforensics.com.” It’s free and allows any user to perform ELA analysis on their own photos.

The methods to analyze the images presented by Krawetz are:

• Observation
  
• Basic image enhancements
  
• Image format analysis
  
• Advanced image analysis
  

ELA Error Level Analysis is a very useful method to detect the manipulation of images belonging to an advanced image analysis. ELA works by re-saving the image at 95% compression, and evaluating the difference with the original. Modified areas are easily seen due their characteristic aspects in the ELA representation.

The main methods used for the picture analysis are based on the following clues:

• Shadows- Analyze the shadows related to different objects in the picture, evaluating them in relation to the direction of the light source.
  
• Eyes- Zoom in and compare against other eyes. (Dots/colors give light direction)
  
• EXIF- Evaluating of EXIF file dat,a including GPS position, time and RBG color profile changes.
  
• Reflections- Analyze that the reflection within the image is coherent.
  

Principal free tools are:

Tool	Description	URL
FotoForensics	Photo ELA Error Level Analysis Image Tool	http://fotoforensics.com/
Jeffrey’s Exif Viewer	Online EXIF data and GPS viewer analyzer	http://regex.info/exif.cgi
JPEGsnoop	Fake image detection via image signature analysis	http://sourceforge.net/projects/jpegsnoop/
IEXIF 2	Iexif is a professional Exif viewer in Windows	http://opanda.com/en/iexif/

==> Read More