As one of the major sources of information, digital images have evolved to become an essential part of our lives in a wide range of fields from scientific research, journalistic photography, entertainment, criminal investigation, law enforcement, and insurance claims, to medical imaging. However, concomitant with the ubiquity of digital images and the increasing sophistication of advanced photo-editing software (e.g. Adobe Photoshop), is the rampant problem of digital forgeries, which has seriously debased the credibility of photographic images as definite records of events. Accordingly, digital image forensics has emerged as a new field that aims to reveal tampering operations in digital images.
The Creation Of Digital Images
A digital image is the result of a complex image generation process that projects a continuous scene to a discrete representation. A scene is part of the real world and can refer to any real natural phenomena or describe arbitrary imaginary phenomena that result from human creativity. As a result, the image conveys information about the depicted scene, which—by (human) interpretation—translates to a particular semantic meaning. When capturing a digital image, multiple processing steps are performed before the storage.
The Light enters the imaging device through a system of optical lenses, which conveys it toward the imaging sensor. The imaging sensor is the heart of every digital camera, and it is composed of an array of photodetectors, each corresponding to a pixel of the final image, which transforms the incoming light intensity into a proportional voltage. Most cameras use CCD (Charged Coupled Device) sensors, but CMOS (Complementary Metal Oxide Semiconductor) imagers can also be found. To render color, before reaching the sensor the light is filtered by the Color Filter Array (CFA), a specific color mosaic that permits each pixel to gather only one particular light wavelength (i.e. color). The CFA pattern arrangement depends on the manufacturer, although Bayer’s filter mosaic is often preferred. As a result, the sensor output is a mosaic of e.g. red, green, and blue pixels arranged on a single layer. To obtain the canonical 3-channels representation, the signal needs to be interpolated. Demosaicing algorithms are applied to this purpose; the missing pixel values in each layer are estimated based on the values of existing neighbors. Before the eventual storage, additional processing is performed, such as white balance, gamma correction, and image enhancement. Finally, the image is recorded in the memory device. Also in this case the format can vary, but a common choice is JPEG.
There has been diversity in sensing technology, optical sensors, camera manufacturing, and software. So the component of an image is modified at several stages and thus leaves intrinsic fingerprints. The image acquisition process is almost uniform for every type of commercially available camera, however, each manufacturer performs the steps according to their choice. Thus each stage can create imperfections and intrinsic irregularities such as lens distortion, chromatic aberration, pixel defects or CCD sensor imperfections, statistical dependencies related to proprietary CFA interpolation algorithms, and other intrinsic image regularities that leave tell-tale footprints.
The Digital Image Lifecycle
The digital image lifecycle is the history of the image including the various steps taken to create it. For instance, a photo could be taken with a digital camera, and edited within a graphics application (for example, Adobe Photoshop). The end product of this process is not the original image. It has passed through several phases in the image's lifecycle. Generally, when a photo is taken, a digital image is created. This, however, could go on to be resized, shared, impregnated with additional tags, mutated, and so on. The more the image gets passed around and edited, the more lifecycle is generated. These mutations not only degrade the quality of the image but they add extra data, making it more difficult for investigators to find the information they need. The aim of the investigator, therefore, is to uncover the origin of the image. The closer to the original image he can get, the better the outcome of the investigation.
Types of Digital Images
Essentially, a digital image that is a subject of investigation can be any of the following types of image.
- Computer Generated (CG) - This is an image entirely generated with computer software and is usually stored in a lossless compression format like PNG (Portable Network Graphics) or a lossless variant of Tagged Image File Format (TIFF).
- Digital Photo - This is a photograph that is originally recorded or captured from an actual scene or situation using any image-capturing device such as a camera or scanner and they are usually distributed in a lossy compression format. The most common one is the JPEG format. The captured image is expected to convey the original or scene at the source while capturing it in a real sense. JPEG is an acronym for ‘Joint Photographic Experts Group’, which is the consortium having developed the JPEG standard (ISO/IEC 10918-1:1994). JPEG files typically have the extension .jpg or .jpeg. As the JPEG standard has many options for encoding image data, ordinary encoders and decoders support only a subset of the possible options. Most image editing programs store JPEG images in the JPEG File Interchange Format (JFIF), which defines certain restrictions on the choice of encoding settings. JFIF has become Part 5 of the official JPEG standard (ISO/IEC 10918-5: 2013). A different standard for storing JPEG images is the Exchangeable image file format (Exif) widely used by digital cameras (JIETA CP-3451C 2013). Exif is mainly a standard for attaching metadata to JPEG files, but it also defines some restrictions on the choice of JPEG encoding settings. If an Exif file from a digital camera is processed with image editing software, the result is usually a JFIF file including Exif metadata.
- Digitally Enhanced Photo - This is a digital photo that has been manipulated using image editing software (such as Adobe Photoshop). This includes minor manipulations such as cropping, and eye reduction, to major re-colouring or digitally combining with other images.
Digital Image Forensics
Digital Image Forensics is the application of image science and domain expertise to interpret the content of an image and/or the image itself in legal matters. Image forgery detection refers to investigative activities aimed at determining whether an image has been altered or manipulated in some way to create a false representation of reality. Digital Image Forensics aims to address the following questions about a digital image:
- Is the image real, computer-generated, or digitally enhanced?
- If the image is real: where was the picture taken, when, and how (e.g. camera model)?
- If the image is digitally enhanced: what was manipulated, and how was the manipulation accomplished?
- If the image is computer generated: how was the image created?
Digital Image Forensics is a relatively new field. As such, definitions are not standardized. What constitutes a computer-generated image? Does cropping or resizing an image constitute digital enhancement? Different jurisdictions and organizations define these terms differently, and conflicting definitions may lead to incorrect categorization. According to the Defence's Cyber Crime Center (DC3), as long as the primary subject is real, the image is real. This is a useful definition for cases involving Child Pornography. The DC3 is only concerned with 'real' or 'CG' and not levels based on digital enhancements. Belkasoft considers any modification, alteration, or “enhancement” of the image after the image left the camera made with any software, including RAW conversion tools to constitute an altered image. Currently, there are no legal definitions for 'real' or 'computer-generated' images. Instead, courts leave the definition to subject experts.
The whole point of forgery analysis is to determine whether any changes were made to alter the meaningful content of the image. So analysis of an image on pixel level is done to detect whether significant changes were made to the actual pixels.
At the time of the birth of digital image forensics, active protection methods such as digital watermarking and signature served as major solutions to protect the integrity of digital images. By inserting certain information into images, digital watermarking is considered invasive as certain distortion of the image is unavoidable during the embedding process. A digital signature, on the contrary, is non-invasive as only a computed signature is appended to the image as metadata. However, these active methods face challenges especially when used on a large scale basis or adopted widely in today’s digital imaging devices (e.g., digital cameras) which lack watermarking or signature modules. To combat this issue, a new technique for checking the contents of digital images has been developed called passive-blind forgery detection. Passive-blind forgery detection techniques use the received image only for assessing its authenticity or integrity, without any signature or watermark of the original image from the sender. It is based on the assumption that although digital forgeries may leave no visual clues of having been tampered with, they may highly likely disturb the underlying statistics property or image consistency of a natural scene image which introduces new artifacts resulting in various forms of inconsistencies. These inconsistencies can be used to detect the forgery. This technique is popular as it does not need any prior information about the image. Existing techniques identify various traces of tampering and detect them separately with localization of the tampered region. In this article, I will focus on digital image forensic techniques based on the passive model.
Forgery Detection Algorithms
Considering all of the above, it should be obvious to the reader that no single algorithm can reliably detect image manipulations. Providing a comprehensive description of each and every algorithm used for detecting image forgery would not be feasible, and would be out of the scope of this article. Here, I focus on methods that verify the digital (as opposed to physical or semantic) integrity of image, namely, discover the occurrence of a manipulation by detecting the pixel-level inconsistencies it caused. It is worth emphasizing that even well-crafted manipulations, which do not leave visible artifacts on the image, always modify its statistics, leaving traces that can be exploited by pixel-level analysis tools. In fact, the image formation process inside a camera, as earlier seen, comprises a certain number of operations, both hardware and software, specific of each camera, which leave distinctive marks on each acquired image.
Copy-Move Forgery Detection
 |
| 1a - Copy-Move forged image |
 |
| 1b - Copy-Move Forgery Detection |
Image Splicing Forgery Detection
Another popular image tampering technique is known as Splicing. The technique also known as Compositing Forgery uses multiple different image sources to hide a particular object or alter the original image. This is different from Copy-Move Forgery as the copy-move forgery method uses the same image source to alter itself. With good choices of source images and careful manual editing, forged images made with splicing are usually hard to detect by untrained eyes.
Most digital images have inherent noise introduced either during their acquisition or by the subsequent processing (e.g. compression). For an untampered photographic image, the noise levels (measured by the noise standard deviation) of different regions across the whole image usually differ only slightly. But with regions spliced from other images with different intrinsic noise levels, or small amounts of noise intentionally added to conceal traces of editing operations, the variations in local image noise levels could become telltale evidence that the image has been tampered.
 |
| 2a - Spliced image |
 |
| 2b - Splicing forgery detection |
Also, investigating with the Noise separation module reveals the same as above. The noise level in the spliced region is significantly different from other areas of the image.
 |
| 2c - Noise separation |
JPEG Double Quantization Effect
The workflow for creating a forgery involves opening an image in a photo editing application, making the desired changes, and resaving the image. If both the original and the tampered images use the JPEG format, the tampered image would have been compressed twice. The JPEG compression scheme quantizes the DCT coefficients of 8 × 8 blocks in the image. Double quantization produces periodic artifacts in the histograms of DCT coefficients. The presence of these artifacts indicates that the image has been doubly compressed, which is suspicious, but not necessarily malicious—the user may have simply resaved the image with a different quality setting. However, the presence of these artifacts can warrant additional analysis by other forensic techniques.
The two images above look identical, although the second picture was opened in a graphic editor and then saved. Histograms of the DCT coefficients clearly show the statistical differences between images subject to a single or double JPEG compression. The effects of double compression are especially visible in the distributions of the DCT coefficients which, after the second compression, show characteristic periodic peaks and valleys.
Error Level Analysis
Error Level Analysis is a technique used to detect image alteration by restoring the image at a certain quality level and calculating the ratio between compression levels. In general, this technique is performed on images that are in a lossy compression format such as JPEG. In JPEG images, compression is performed independently for every 8x8 pixel in the image. If the image is not altered, every 8x8 pixel in the image must have the same error rate. However, when an image is modified, the 8x8 pixels containing the modification are no longer at the same error level as the rest of the unmodified image.
 |
| Tampered image |
 |
| Error level analysis |
Error Level Analysis compares the original image to a compressed version. This can make manipulated regions stand out in various ways. For example, they can be darker or brighter than similar regions which have not been manipulated.
It is important to recognize that most methods described in this article (and most methods for detecting image forgery) only highlight aspects of the image. The evaluation is not automated and is heavily based on the observer. If an analyst does not recognize a particular artifact, then the evaluation may be inaccurate. There are digital image forensics applications that can help investigators analyze and extract information from the tampered image evidence. Below are a few examples:
Post a Comment