Re: Forensics v. Photoshop

Discussion in 'Digital Photography' started by Martin Brown, Sep 19, 2012.

  1. Martin Brown

    Martin Brown Guest

    On 18/09/2012 23:52, Alan Browne wrote:
    > On 2012.09.18 18:38 , Me wrote:
    >> On 19/09/2012 9:31 a.m., Alan Browne wrote:
    >>> http://bits.blogs.nytimes.com/2012/...sics-out-of-the-lab-and-into-the-marketplace/
    >>>
    >>> or http://tinyurl.com/8g8udyp
    >>>
    >>> and http://vimeo.com/49199110 (arguments aren't that convincing)
    >>>
    >>> (It's only $890. Probably more in NZ... ;-) )
    >>>

    >> Hmmm - so it can't prove that the image content /has/ been tampered
    >> with, and neither can it prove that the image file /hasn't/ been
    >> tampered with. What does it claim to do again?

    >
    > Raise doubts. It's claim is to look at how images are made (signature)
    > by the camera. If there is a doubt it will be raised. A change to an
    > image in PS would not pass that.


    Only a cack handed amateur would do it that way. It really isn't that
    difficult to transplant an arbitrary JPEG stream into a given cameras
    signed envelope. Anyone that relies on this tool is an idiot.

    Anyone that pays nearly $1000 for it is dafter still - there is at least
    one free tool called JPEGsnoop which does much the same thing.

    http://www.impulseadventure.com/photo/jpeg-snoop.html

    (there are probably more - this is the one I could recall)

    It isn't rocket science. Photoshop mods to JPEG are trivial to spot
    because Adobe use a custom quantisation table on the resave.
    >
    >> The war seems to have been lost, and I don't think there's any going
    >> back. Even at the pro level, image authentication seems doomed:
    >> http://www.theregister.co.uk/2011/04/28/nikon_image_faking_hack/

    >
    > Surprising.


    Not really. Tools to do this have been around more or less since the
    JPEGLIB codec was completed. CJPEG can compress an image with any
    arbitrary quantisation if you ask it nicely. Splicing in the fake Exif
    data for a given camera signature is a pretty trivial binary edit.

    --
    Regards,
    Martin Brown
    Martin Brown, Sep 19, 2012
    #1
    1. Advertising

  2. Martin Brown

    Martin Brown Guest

    On 19/09/2012 22:44, Alan Browne wrote:
    > On 2012.09.19 03:13 , Martin Brown wrote:
    >> On 18/09/2012 23:52, Alan Browne wrote:
    >>> On 2012.09.18 18:38 , Me wrote:
    >>>> On 19/09/2012 9:31 a.m., Alan Browne wrote:
    >>>>> http://bits.blogs.nytimes.com/2012/...sics-out-of-the-lab-and-into-the-marketplace/
    >>>>>
    >>>>> or http://tinyurl.com/8g8udyp
    >>>>>
    >>>>> and http://vimeo.com/49199110 (arguments aren't that convincing)
    >>>>>
    >>>>> (It's only $890. Probably more in NZ... ;-) )
    >>>>>
    >>>> Hmmm - so it can't prove that the image content /has/ been tampered
    >>>> with, and neither can it prove that the image file /hasn't/ been
    >>>> tampered with. What does it claim to do again?
    >>>
    >>> Raise doubts. It's claim is to look at how images are made (signature)
    >>> by the camera. If there is a doubt it will be raised. A change to an
    >>> image in PS would not pass that.

    >>
    >> Only a cack handed amateur would do it that way. It really isn't that
    >> difficult to transplant an arbitrary JPEG stream into a given cameras
    >> signed envelope. Anyone that relies on this tool is an idiot.

    >
    > Turn off your assumptions. By signature they are looking at what are
    > essentially artifacts of how various cameras generate their output.
    >
    > Perhaps "fingerprint" would be a better term.


    Certainly if you are working in their firm's marketing department.

    There are a handful of independent JPEG implementations - most follow
    the original spec closely enough that there is little or no distinction
    between them (apart from in PSPro 8 which contained gross errors). It
    has to be like that or you would see much worse artefacts if some JPEG
    encoders made significant mistakes (as in fact happened with PsP 8).

    The only real variation is the exact choice of quantisation table and
    Photoshop is distinctive there, but most of the rest use a scaled
    version of the canonical JPEG standard Qtables from the original spec.
    >
    >> Not really. Tools to do this have been around more or less since the
    >> JPEGLIB codec was completed. CJPEG can compress an image with any
    >> arbitrary quantisation if you ask it nicely. Splicing in the fake Exif
    >> data for a given camera signature is a pretty trivial binary edit.

    >
    > It probably is - but that's not what this sw is detecting. Above.


    That is all that they have claimed. I have already pointed a link at
    freeware that does exactly the same job (and much the same way).

    The file signature is pretty much determined by the miscellaneous dross
    that each vendor adds to the header for the JPEG stream and how many
    implementation ambiguities/mistakes they make in their encoding of Exif
    data. Luckily most decoders can cope with quite badly malformed Exif so
    there is scope for recognising certain brands there.

    --
    Regards,
    Martin Brown
    Martin Brown, Sep 20, 2012
    #2
    1. Advertising

  3. Martin Brown <|||newspam|||@nezumi.demon.co.uk> wrote:
    > On 19/09/2012 22:44, Alan Browne wrote:
    >> On 2012.09.19 03:13 , Martin Brown wrote:
    >>> On 18/09/2012 23:52, Alan Browne wrote:


    >>>> Raise doubts. It's claim is to look at how images are made (signature)
    >>>> by the camera. If there is a doubt it will be raised. A change to an
    >>>> image in PS would not pass that.


    >>> Only a cack handed amateur would do it that way. It really isn't that
    >>> difficult to transplant an arbitrary JPEG stream into a given cameras
    >>> signed envelope. Anyone that relies on this tool is an idiot.


    >> Turn off your assumptions. By signature they are looking at what are
    >> essentially artifacts of how various cameras generate their output.


    >> Perhaps "fingerprint" would be a better term.


    > Certainly if you are working in their firm's marketing department.


    > There are a handful of independent JPEG implementations - most follow
    > the original spec closely enough that there is little or no distinction
    > between them (apart from in PSPro 8 which contained gross errors). It
    > has to be like that or you would see much worse artefacts if some JPEG
    > encoders made significant mistakes (as in fact happened with PsP 8).


    > The only real variation is the exact choice of quantisation table and
    > Photoshop is distinctive there, but most of the rest use a scaled
    > version of the canonical JPEG standard Qtables from the original spec.


    So there's no variation in noise between camera types, sensor
    technology and pixel sizes? There's no different JPEG denoising
    between cameras?

    -Wolfgang
    Wolfgang Weisselberg, Sep 20, 2012
    #3
  4. Martin Brown

    Martin Brown Guest

    On 20/09/2012 21:49, Alan Browne wrote:
    > On 2012.09.20 04:26 , Martin Brown wrote:
    >
    >> There are a handful of independent JPEG implementations - most follow
    >> the original spec closely enough that there is little or no distinction
    >> between them (apart from in PSPro 8 which contained gross errors). It
    >> has to be like that or you would see much worse artefacts if some JPEG
    >> encoders made significant mistakes (as in fact happened with PsP 8).

    >
    > These folks seem to have statistical evidence to the contrary which
    > trumps your knee jerk assumptions.
    >
    > It will be judged in the marketplace of those who are concerned with
    > such. If there is value it will be quickly found. Or not.


    I agree. Snake oil will be fairly quickly smoked out.

    >> The only real variation is the exact choice of quantisation table and
    >> Photoshop is distinctive there, but most of the rest use a scaled
    >> version of the canonical JPEG standard Qtables from the original spec.

    >
    > Assumption.


    Not an assumption at all - I know that for a fact. I have written
    software that analyses damaged JPEGs. There are only a handful of
    cameras and applications that use custom non-standard Qtables that are
    unrelated to the "examples" given in the original spec. Virtually
    everything apart from Photoshop uses scaled copies of the JPEG example.

    One such was PsPro 8 which included a typo in the Y matrix and various
    faulty chroma downsampling algorithms which distorted the results. Such
    errors are rare and are seldom detected by end users.

    >>>> Not really. Tools to do this have been around more or less since the
    >>>> JPEGLIB codec was completed. CJPEG can compress an image with any
    >>>> arbitrary quantisation if you ask it nicely. Splicing in the fake Exif
    >>>> data for a given camera signature is a pretty trivial binary edit.
    >>>
    >>> It probably is - but that's not what this sw is detecting. Above.

    >>
    >> That is all that they have claimed. I have already pointed a link at
    >> freeware that does exactly the same job (and much the same way).
    >>
    >> The file signature is pretty much determined by the miscellaneous dross
    >> that each vendor adds to the header for the JPEG stream and how many
    >> implementation ambiguities/mistakes they make in their encoding of Exif
    >> data. Luckily most decoders can cope with quite badly malformed Exif so
    >> there is scope for recognising certain brands there.

    >
    > Again, as if you didn't read the article or see the video, the signature
    > aspect has to do with the content, not the additional data.


    I did read the site and their description matches my interpretation of
    what they are offering. The camera "signature" is in the fluff around
    the JPEG stream and not in the coefficient stream itself.

    http://www.fourandsix.com/fourmatch

    Such "signatures" can be easily forged with the right tools.

    The JPEG coefficient stream has a limited number of encoding
    possibilities and only a few of them are actually seen in practice.

    --
    Regards,
    Martin Brown
    Martin Brown, Sep 20, 2012
    #4
  5. Martin Brown

    Martin Brown Guest

    On 20/09/2012 16:47, Wolfgang Weisselberg wrote:
    > Martin Brown <|||newspam|||@nezumi.demon.co.uk> wrote:
    >> On 19/09/2012 22:44, Alan Browne wrote:
    >>> On 2012.09.19 03:13 , Martin Brown wrote:
    >>>> On 18/09/2012 23:52, Alan Browne wrote:

    >
    >>>>> Raise doubts. It's claim is to look at how images are made (signature)
    >>>>> by the camera. If there is a doubt it will be raised. A change to an
    >>>>> image in PS would not pass that.

    >
    >>>> Only a cack handed amateur would do it that way. It really isn't that
    >>>> difficult to transplant an arbitrary JPEG stream into a given cameras
    >>>> signed envelope. Anyone that relies on this tool is an idiot.

    >
    >>> Turn off your assumptions. By signature they are looking at what are
    >>> essentially artifacts of how various cameras generate their output.

    >
    >>> Perhaps "fingerprint" would be a better term.

    >
    >> Certainly if you are working in their firm's marketing department.

    >
    >> There are a handful of independent JPEG implementations - most follow
    >> the original spec closely enough that there is little or no distinction
    >> between them (apart from in PSPro 8 which contained gross errors). It
    >> has to be like that or you would see much worse artefacts if some JPEG
    >> encoders made significant mistakes (as in fact happened with PsP 8).

    >
    >> The only real variation is the exact choice of quantisation table and
    >> Photoshop is distinctive there, but most of the rest use a scaled
    >> version of the canonical JPEG standard Qtables from the original spec.

    >
    > So there's no variation in noise between camera types, sensor
    > technology and pixel sizes? There's no different JPEG denoising
    > between cameras?


    Cameras making JPEG files are only writing the JPEG stream. There might
    be tiny differences in the exact sensor demosaicing code but that will
    largely be hidden when the file is saved JPEG 2x1 chroma subsampled. I'd
    give better odds for recognising a full RAW file with all the sensor
    calibration info still in it.

    Sensor noise might allow you distinguish a few *very* old and thermally
    noisy cameras but that is about all. The odd camera has insane default
    settings usually oversharpened which would also be easy to spot.

    --
    Regards,
    Martin Brown
    Martin Brown, Sep 21, 2012
    #5
  6. Martin Brown

    Martin Brown Guest

    On 21/09/2012 21:43, Alan Browne wrote:
    > On 2012.09.21 03:12 , Martin Brown wrote:
    >> On 20/09/2012 16:47, Wolfgang Weisselberg wrote:

    >
    >>> So there's no variation in noise between camera types, sensor
    >>> technology and pixel sizes? There's no different JPEG denoising
    >>> between cameras?

    >>
    >> Cameras making JPEG files are only writing the JPEG stream. There might
    >> be tiny differences in the exact sensor demosaicing code but that will
    >> largely be hidden when the file is saved JPEG 2x1 chroma subsampled. I'd
    >> give better odds for recognising a full RAW file with all the sensor
    >> calibration info still in it.

    >
    > What W said is the real point of it: what leaks through the physics into
    > the image - raw or JPG - will fingerprint the camera design. Look at
    > enough image samples and it comes out.
    >
    >> Sensor noise might allow you distinguish a few *very* old and thermally
    >> noisy cameras but that is about all. The odd camera has insane default
    >> settings usually oversharpened which would also be easy to spot.

    >
    > Given the statistical methods used by them even new "quieter" cameras
    > will in the end give up their signatures - even via JPG.


    Not a chance after JPEG encoding.
    Too much of the noise signature is lost.

    Would you like to buy London Bridge?

    --
    Regards,
    Martin Brown
    Martin Brown, Sep 21, 2012
    #6
  7. Martin Brown

    Martin Brown Guest

    On 22/09/2012 05:05, Eric Stevens wrote:
    > On Fri, 21 Sep 2012 22:34:36 +0100, Martin Brown
    > <|||newspam|||@nezumi.demon.co.uk> wrote:
    >
    >> On 21/09/2012 21:43, Alan Browne wrote:
    >>> On 2012.09.21 03:12 , Martin Brown wrote:
    >>>> On 20/09/2012 16:47, Wolfgang Weisselberg wrote:
    >>>
    >>>>> So there's no variation in noise between camera types, sensor
    >>>>> technology and pixel sizes? There's no different JPEG denoising
    >>>>> between cameras?
    >>>>
    >>>> Cameras making JPEG files are only writing the JPEG stream. There might
    >>>> be tiny differences in the exact sensor demosaicing code but that will
    >>>> largely be hidden when the file is saved JPEG 2x1 chroma subsampled. I'd
    >>>> give better odds for recognising a full RAW file with all the sensor
    >>>> calibration info still in it.
    >>>
    >>> What W said is the real point of it: what leaks through the physics into
    >>> the image - raw or JPG - will fingerprint the camera design. Look at
    >>> enough image samples and it comes out.
    >>>
    >>>> Sensor noise might allow you distinguish a few *very* old and thermally
    >>>> noisy cameras but that is about all. The odd camera has insane default
    >>>> settings usually oversharpened which would also be easy to spot.
    >>>
    >>> Given the statistical methods used by them even new "quieter" cameras
    >>> will in the end give up their signatures - even via JPG.

    >>
    >> Not a chance after JPEG encoding.
    >> Too much of the noise signature is lost.
    >>
    >> Would you like to buy London Bridge?

    >
    > Here is the original claim:
    >
    > "The many signatures arise from the malleability of the JPEG
    > standard, the format in which nearly all cameras save images.
    > Different cameras and mobile devices have varying sensor sizes and
    > resolution settings, and techniques for handling thumbnail pictures
    > and image metadata. Different cameras and software use different
    > methods to compress image files. All leave telltale digital
    > tracks."
    >
    > The software claims to be able to identify the specific parameters
    > which link the camera to the JPG image. If there only five parameters
    > to be identified and there are fourteen variations of each then it is
    > not hard to end with 70,000 different unique combinations. Of course
    > its not quite that simple. The claim sounds credible. That's not the
    > same as saying it is correct.


    The claim is credible from the point of view that if everyone is
    completely honest never puts a foreign JPEG stream inside another
    cameras signed envelope their software can identify from the choice of
    compression parameters and the quirks in the interpretation of the
    dreadful ambiguous Exif "standard" which camera or app it came from.

    (there are roughly speaking about 500 distinct Qtables in use but less
    than 100 are common and fewer than 10 make up the bulk of all images)

    I have already pointed at freeware that does exactly this using the same
    methodology. But it is not forensically sound. An expert can too easily
    fake the headers to for example make it look like Neil Armstrong was
    stood on the moon and photographed with an Ixus V.

    --
    Regards,
    Martin Brown
    Martin Brown, Sep 22, 2012
    #7
  8. Eric Stevens <> wrote:

    > matter. The question is, can anyone alter the image in such a way that
    > the fact that it has been altered is indetectable?


    Of course someone can.

    Change a single pixel in such a way that it's still within it's
    typical statistic value range for the true image. Don't do
    anything except exchanging the single JPEG block that contains
    the pixel (write your own program to do it or do it by hand).

    Presto: even having a second photo (with pixel-exact registration)
    of the same scene and access to the same scene you cannot detect
    the manipulation.

    (Of course, the manipulation will not be relevant.)

    -Wolfgang
    Wolfgang Weisselberg, Sep 23, 2012
    #8
  9. Martin Brown

    John A. Guest

    On Sun, 23 Sep 2012 22:37:01 +0200, Wolfgang Weisselberg
    <> wrote:

    >Eric Stevens <> wrote:
    >
    >> matter. The question is, can anyone alter the image in such a way that
    >> the fact that it has been altered is indetectable?

    >
    >Of course someone can.
    >
    >Change a single pixel in such a way that it's still within it's
    >typical statistic value range for the true image. Don't do
    >anything except exchanging the single JPEG block that contains
    >the pixel (write your own program to do it or do it by hand).
    >
    >Presto: even having a second photo (with pixel-exact registration)
    >of the same scene and access to the same scene you cannot detect
    >the manipulation.
    >
    >(Of course, the manipulation will not be relevant.)
    >
    >-Wolfgang


    You can embed a message that way, using the least-significant bits to
    encode it.

    http://en.wikipedia.org/wiki/Steganography
    John A., Sep 24, 2012
    #9
  10. John A <> wrote:
    > On Sun, 23 Sep 2012 22:37:01 +0200, Wolfgang Weisselberg
    >>Eric Stevens <> wrote:


    >>> matter. The question is, can anyone alter the image in such a way that
    >>> the fact that it has been altered is indetectable?


    >>Of course someone can.


    >>Change a single pixel in such a way that it's still within it's
    >>typical statistic value range for the true image. Don't do
    >>anything except exchanging the single JPEG block that contains
    >>the pixel (write your own program to do it or do it by hand).


    >>Presto: even having a second photo (with pixel-exact registration)
    >>of the same scene and access to the same scene you cannot detect
    >>the manipulation.


    >>(Of course, the manipulation will not be relevant.)


    > You can embed a message that way, using the least-significant bits to
    > encode it.


    > http://en.wikipedia.org/wiki/Steganography


    Yep --- and if there's then any sort of pattern in the LSB, your
    hiding there has failed. Note: Often an encryption or compression
    output contains something like a header ...

    -Wolfgang
    Wolfgang Weisselberg, Sep 25, 2012
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BleepingComputer.com

    Article: Windows Forensics: Have I been Hacked?

    BleepingComputer.com, Feb 22, 2004, in forum: Computer Support
    Replies:
    7
    Views:
    460
    Paul - xxx
    Feb 22, 2004
  2. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Computer and Intrusion Forensics", George Mohay et al

    Rob Slade, doting grandpa of Ryan and Trevor, Jul 15, 2003, in forum: Computer Security
    Replies:
    0
    Views:
    1,048
    Rob Slade, doting grandpa of Ryan and Trevor
    Jul 15, 2003
  3. Lord Shaolin
    Replies:
    4
    Views:
    378
    Bill Sanderson
    Oct 27, 2003
  4. Martin Brown

    Re: Forensics v. Photoshop

    Martin Brown, Sep 18, 2012, in forum: Digital Photography
    Replies:
    2
    Views:
    277
    nospam
    Sep 19, 2012
  5. Me

    Re: Forensics v. Photoshop

    Me, Sep 19, 2012, in forum: Digital Photography
    Replies:
    1
    Views:
    280
    Peter Jason
    Sep 19, 2012
Loading...

Share This Page