The camera never lies?
Advances in digital image forensics
Dr Stuart Gibson (s.j.gibson@kent.ac.uk)
School of Physical Sciences, University of Kent
Wordle [word cloud] containing titles of image forensics publications 2010-12
[http://www.cs.dartmouth.edu/~farid/dfd/index.php/publications]
Objective for image forensics
Source camera
identification


Image integrity check
Is it real?
Which camera?
Hurricane Sandy image forgery
2
Cyber Security Seminar
22/11/2012
Spot the forgery!
The August 2007 cover of
the scientific publication
Nature featured three
autonomous aircraft taking
atmospheric measurements.
The top and bottom
aircrafts, however, were
cloned copies of each other.
After a keen-eyed reader
discovered this photo
alteration, the Editors
printed the following
clarification: “The cover
caption should have made it
clear that this was a
montage. Apologies.”
3
Cyber Security Seminar
22/11/2012
Spot the forgery!
4
Cyber Security Seminar
22/11/2012
Spot the forgery!
A political ad for George W.
Bush, as he was running for
President, shows a sea of
soldiers as a back drop to a
child holding a flag. The original
image included Bush standing
at a podium, but he was
removed by digitally copying
and pasting several soldiers
from other parts of the image.
After acknowledging that the
photo had been doctored, the
Bush campaign said that the ad
would be re-edited and reshipped to TV stations.
5
Cyber Security Seminar
22/11/2012
Spot the forgery!
6
Cyber Security Seminar
22/11/2012
Spot the forgery!
In a doctored photograph, British politicians Ed Matts, conservative candidate for
Dorset South, and Ann Widdecombe, conservative candidate for Maidstone and the
Weald, are shown holding a pair of signs that together read “controlled immigration
— not chaos and inhumanity”. This picture appeared as part of Matts’ election
literature. The original photograph, however, shows the same two candidates
campaigning for a Malawian family of asylum seekers to be allowed to stay in Britain.
Widdecombe said she was “happy to be associated with either message”.
7
Cyber Security Seminar
22/11/2012
Spot the forgery!
A Missouri University professor and
co-authors retracted their paper
(Cdx2 Gene Expression and
Trophectoderm Lineage Specification
in Mouse Embryos) published in
Science after an investigation revealed
that accompanying images were
doctored. Contrary to conventional
wisdom, the published research
presented evidence that the first two
cells of mouse embryos possess
markers that indicate from a very
early stage whether they will grow
into a fetus or placenta. An
investigating university committee
found that lead author and postdoctoral researcher deliberately
altered images of the embryos.
8
Cyber Security Seminar
22/11/2012
More like this?
http://www.fourandsix.com/photo-tamperinghistory/tag/science
9
Cyber Security Seminar
22/11/2012
Digital images and the law
 Protection
of Children Act 1978
 Counter-Terrorism Act 2008
 Section 58 of the Terrorism Act 2000
 Copyright law
10
Cyber Security Seminar
22/11/2012
Properties of a digital image
 Exchangeable
image format (Exif) data
provides a wealth of information including
camera make and model.
 But can we trust Exif data?
[PhotoMe demo here]
11
Cyber Security Seminar
22/11/2012
Some forensic methods


Majority of methods enable camera classification.
Photo response non-uniformity can differentiate between
images taken from two cameras of same make and model.
12
Cyber Security Seminar
22/11/2012
Sensor fingerprinting
• ‘Exemplar’ fingerprint:- known to have originated
from a specific source camera.
• ‘Latent’ fingerprint:- lifted from an evidential
image.
14
Cyber Security Seminar
22/11/2012
Photo response non-uniformity (PRNU)

Image degradation model
observed image
true scene
I  I0  I0 K  
random additive
noise component
consistent between images
Lukas, Fridrich & Goljan | In SPIE Electonic Engineering |
2005 | 249-260
15

Noise residual
W  I  Iˆ0  (I0  Iˆ0 )  I0 K  
denoised image
W  I0 K  
1 N
WE 
Wi   K

N 1 i
Estimate of exemplar fingerprint
given by mean noise residual
Cyber Security Seminar
22/11/2012
Denoising filter specification


Daubechies db8 wavelet.
Filter detail coeffs for first 4 levels of decomposition.

ML estimate of variance based on local neighbourhood.
Mihcak, Kozintsev, Ramchandran, Moulin | IEEE Trans Sig Proc |1999 | 6(12) | 300-303
16
Cyber Security Seminar
22/11/2012
Latent/exemplar fingerprint matching
Determine correlation coefficient between
noise pattern and fingerprints for cameras
including suspected source
Camera 1 fingerprint
Camera 2 fingerprint
Image noise pattern
(latent fingerprint)
Evidential image
Camera 3 fingerprint
......
Apply filter





Camera s fingerprint
Obtain the exemplar (device) fingerprint of the camera (s) of interest.
Obtain the exemplar of a number of other cameras (1, 2, 3...)
Filter evidential images with wavelet denoising filter.
Correlate latent print with exemplar fingerprints of all cameras.
High correlation coefficient obtained if the fingerprints match.
Digital image analysis and evaluation
(DIANE) MATLAB code

H0: (Non-matching image)

Number of images used in
estimation of exemplar
fingerprint
[512x512 image regions, green colour plane]
18
Cyber Security Seminar
22/11/2012
Source camera identification
Image by Welford and Gibson, SPS, UoK
Correlation coefficients for 50 evidential images from a Canon 450D with 8 different
cameras including the source.
Robustness of PRNU method
(application to social networking)

Facebook : Hi-resolution
upload and download from
iPhone 4S
[1536x2048]
20

Facebook: – Lo-resolution
upload and download from
iPhone 4S
[720x960]
Cyber Security Seminar
22/11/2012
Forgery detection using PRNU
21
Cyber Security Seminar
22/11/2012
Forgery detection using PRNU
22
Cyber Security Seminar
22/11/2012
Some forensic methods

Methods based on JPEG artefacts and decompression
information are particularly popular in the research
literature [see word cloud]
23
Cyber Security Seminar
22/11/2012
JPEG Compression scheme
For the lossy JPEG
compression method the input
image (a) is separated into 8x8
image blocks in a preprocessing step.
The DCT of each image block
is calculated separately (b).
The significant coefficients of
the DCT are usually located in
the top left hand corner (c)
and are attributable to low
spatial frequencies in the input
image.
Dr. Stuart Gibson, SPS
PS507: Unit 2 – Digital Image Processing
JPEG File Headers

Discrete Quantisation Table (DQT)
 Required for decompression.

Optimised for hardware and intended use of camera.
DQT for Canon EOS40D
DQT for iPhone 3G
Dr. Stuart Gibson, SPS
JPEG File Headers

Forensic value of DQT



Indicator of make and model.
All JPEG files headers have one (even when Exif metadata has
been deliberately removed).
DQT may be overwritten when



Image tampering has taken place (compare with metadata – if still
present).
File is transferred – social networking, mobile phone.
In some cases primary DQT may be inferred from the
histograms of discrete cosine transformation coefficients even
if the image has been compressed twice...
Dr. Stuart Gibson, SPS
PS507: Unit 2 – Digital Image Processing
Analysis of DCT coefficients

If the JPEG quality factor is set to 100 we expect to
observe a histogram in which adjacent columns are
occupied (see below). This is because all entries in the
DQT are 1 and no quantisation of coefficient values takes
place.
coefficient histogram for a single spatial frequency
Dr. Stuart Gibson, SPS
PS507: Unit 2 – Digital Image Processing
Analysis of DCT coefficients





Single compression
When coefficient magnitudes
are quantised by a divisor of say
3, we expect to see every third
column occupied.
This can be explained by the
loss in accuracy due to rounding
of values that are not multiples
of 3
e.g.
Round(5/3)=2 and 3x2=6 not 5
Hence non-zero columns occur
at -12, -9, -6, -3, 0, 3, 6, 9, 12 etc
Dr. Stuart Gibson, SPS
Spacing between columns is regular
and equal to 3.
PS507: Unit 2 – Digital Image Processing
Analysis of DCT coefficients




Double compression
[Case1: entries in primary
DQT > in value than entries
in secondary DQT]
When coefficient magnitudes
are quantised by a divisor in the
primary DQT of say 3, then
quantised by a divisor in the
secondary of DQT of say 2 we
expect to irregular column
spacing.
This is an indicator of image
tampering – e.g. Photoshop.
After double compression the spacing
between columns is irregular and is equal
to 3 then 2 in an alternating sequence.
Dr. Stuart Gibson, SPS
PS507: Unit 2 – Digital Image Processing
Analysis of DCT coefficients




Double compression
[Case2: entries in primary
DQT < than entries in
secondary DQT]
When coefficient values are
quantised by a divisor in the
primary DQT of say 2, then
quantised by a divisor in the
secondary of DQT of say 3 we
expect regular column spacing
but irregular column heights.
The irregularities in column
height also indicate that the image
has been recompressed.
Dr. Stuart Gibson, SPS
Note that here some of the blue columns
in the histogram (spaced at intervals of 2)
are hidden by the red columns.
PS507: Unit 2 – Digital Image Processing
Resources

MATLAB Digital Image Analysis and Evaluation (DIANE)


Dresden image database


http://forensics.inf.tu-dresden.de/ddimgdb/
Image forensics bibliography


Contact s.j.gibson@kent.ac.uk
http://www.cs.dartmouth.edu/~farid/dfd/index.php/publications
Multimedia forensics bibliography

31
http://www.theonlineoasis.co.uk/clweb/bibliography/main/sort/year.html
Cyber Security Seminar
22/11/2012
Contact
Dr Stuart Gibson
 Address: Room 107 , School of Physical Sciences, Ingram Building.
 Tel: Ext 3271
 Email: s.j.gibson@kent.ac.uk

Enquiries regarding collaboration are welcome!
32
Cyber Security Seminar
22/11/2012