One of the most palpable concerns about digital media is whether it can be trusted. One of the topics that I am researching and writing about in my PhD is the authentication of digital media. In this article, I provide an overview of passive forgery detection techniques. I have not included academic and technical references due to space and formatting limitations. See my previous article for an overview of active forgery detection techniques.
As earlier noted, image alteration detection consists of active and passive techniques. While active techniques require prior knowledge of the image’s content and metadata to determine whether alteration has occurred, passive techniques do not require prior knowledge of image content and metadata. These techniques focus on determining whether an image has undergone forgery operations such as copy-move or spatial alterations of image content.
In the International Criminal Court atrocity crimes context, it is unlikely that investigators and forensic imagery specialists will have access to original images, thus negatively impacting their ability to utilize active detection methods such as digital signatures and watermarks. This limitation also applies to many domestic investigations, especially considering that increasing amounts of digital media emanate from social media and other open source respositories. As a result, passive forgery detection techniques employed by forensic imagery specialists are the preferred approach for determining image authenticity as these techniques do not require information from the original images, nor do they require digital signatures or watermarks from the original images. Passive detection techniques are premised on the assumption that while digital forgeries may leave no obvious visual alteration clues, the metadata may reveal such activity, as might subtle inconsistencies within the visual image, and these techniques exploit this intrinsic image information and visual content.
Passive forgery detection involves examining the metadata of a digital image. Digital video consists of a series of individual digital images that are previously encoded and then encapsulated in a multimedia container. Digital video typically operates at a frame rate of twenty-five (PAL standard) or thirty frames per second (NTSC). One minute of digital video at a full frame rate therefore consists of 1,500 or 1,800 images. A small percentage of those images are original or reference images, with the majority being predictive images. Altering digital video without the benefit of AI and the machine learning associated with deepfakes is a laborious task and therefore manually altering a single image is more feasible. Image metadata can be a repository of valuable information including resolution, aspect ratio, camera make and model, GPS coordinates, and date and time. Metadata also allows for the reverse engineering of digital images to detect alterations, such as using the audit trail and history log in Adobe Photoshop CS, which reveals the image processing steps taken after the image was initially recorded. Metadata analysis can reveal evidence of image cropping, image splicing, date and time, and inconsistencies in location, amongst other image specific data. Given that metadata is typically stripped away upon uploading to social media and other open source internet sites, forensic imagery specialists must examine the digital clues that remain in an attempt to assess an image’s integrity and authenticity.
Passive forgery detection also relies upon anomalies in image content to detect manipulation. For example, examining images for inconsistencies in light and shadows and pixel incongruencies can be revelatory of copy-paste and cloning alterations. This level of analysis initially focuses on detecting less sophisticated alterations in images, such as excising or duplicating frames, splicing, and copy-pasting components of the original image and placing them elsewhere in the image. However, high image compression ratios may ill-affect existing footprints so that the image processing history may be undetectable. These challenges are more acute when digital media is uploaded to social media and other open source sites where additional compression is applied. Collectively, this loss of valuable data impacts the ability of experts to assess image integrity and authentication.
Forensic imagery specialists may also employ software programs designed to detect image alteration. Amped Authenticate is frequently used to examine the processing history of an image, with a view to determining whether an image is the original or an altered version, and what device created the image. It also permits the batch analysis of multiple images at the same time. University of California at Berkeley professor and digital forensics expert Hani Farid developed a computer program that will automatically detect cloning (duplication) within an image. Further, since lighting and shadow differences can indicate image alteration, he also developed a program that automatically estimates the direction of the illuminated light source. Researchers have developed a method that analyzes the intrinsic structure of multimedia containers for the purpose of verifying the integrity and authenticity of videos in MP4, MOV and 3GP formats. This method reportedly determines the brand of mobile device that generated the video, the social network or instant messaging application that was used to transfer it, and the editing program that was used to alter the images. Even in the absence of visual clues, forgeries alter metadata, and these changes are detectable. To be most effective, image forgery detection software should be passive, requiring no information about the original image nor access to any digital signatures or watermarks. Along with active and passive techniques, deep learning may also play a role in detecting forgeries. Researchers advise that countermeasures are likely to be developed for most detection methods but as more authentication methods are developed, it should be increasingly more difficult to alter images in ways that escape detection.
Beyond using software, metadata, and content analysis to authenticate images, the visual content of geospatial images may be corroborated by viva voce evidence, documentary evidence, media reports, open source data, expert evidence, geolocation, landform and structure identification, and other evidence. Utilizing geolocation sources such as satellite images obtained from Google Earth, Google Maps, Bing Maps, Terraserver, and other satellite sources, and drone imagery, may also permit the circumstantial corroboration of otherwise unauthenticated images. Through this method, a proven image can be the linchpin for authenticating images that are otherwise not independently verifiable. The date and time an image was recorded may be able to be approximated by chronolocation or shadow analysis, weather consistencies, etc. It is also possible to reverse search some images to determine their origin. Collectively, these passive forgery detection and authentication methods can be quite useful in either detecting evidence of forgery or confirming authenticity. Two additional approaches to image authentication are worthy of mention: dedicated smartphone applications and phylogeny. These will be discussed in a later article.
Assessing the authenticity of digital media is essential, not only as a matter of admissibility, but as part of the pursuit of the truth. Counsel and the court must be confident that they can rely upon the images tendered and the findings of fact based upon them. Forensic imaging specialists should not assume that media is trustworthy – they should conduct a technical examination to determine trustworthiness and be prepared to testify as an expert witness in court.