Does a Digital Imag...
 
Notifications
Clear all

Does a Digital Image be altered?

7 Posts
4 Users
0 Reactions
710 Views
xiasangju
(@xiasangju)
Active Member
Joined: 19 years ago
Posts: 10
Topic starter  

Without the original photo in hand, in what way to verify if a digital photo has been altered or edited by image editing software, such as photoshop CS?


   
Quote
(@ronanmagee)
Estimable Member
Joined: 20 years ago
Posts: 145
 

I'd start by opening the image in a hex editor. By looking at the first few bytes you'll get to see file header. Generally after this you'll see some camera information. Heres the header I see from my Sony DSC P100

00000000h FF D8 FF E1 3B 20 45 78 69 66 00 00 49 49 2A 00 ; ÿØÿá; Exif..II*.
00000010h 08 00 00 00 0B 00 0E 01 02 00 20 00 00 00 92 00 ; ………. …’.
00000020h 00 00 0F 01 02 00 05 00 00 00 B2 00 00 00 10 01 ; ……….²…..
00000030h 02 00 09 00 00 00 B8 00 00 00 12 01 03 00 01 00 ; ……¸………
00000040h 00 00 01 00 00 00 1A 01 05 00 01 00 00 00 C2 00 ; …………..Â.
00000050h 00 00 1B 01 05 00 01 00 00 00 CA 00 00 00 28 01 ; ……….Ê…(.
00000060h 03 00 01 00 00 00 02 00 00 00 32 01 02 00 14 00 ; ……….2…..
00000070h 00 00 D2 00 00 00 13 02 03 00 01 00 00 00 02 00 ; ..Ò………….
00000080h 00 00 69 87 04 00 01 00 00 00 02 01 00 00 A5 C4 ; ..i‡……….¥Ä
00000090h 07 00 1C 00 00 00 E6 00 00 00 04 09 00 00 20 20 ; ……æ…….
000000a0h 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;
000000b0h 20 20 20 20 20 20 20 20 20 20 20 20 20 00 53 4F ; .SO
000000c0h 4E 59 00 00 44 53 43 2D 50 31 30 30 00 00 48 00 ; NY..DSC-P100..H.
000000d0h 00 00 01 00 00 00 48 00 00 00 01 00 00 00 32 30 ; ……H…….20

If I take this image and save it via MS Paint as a JPEG - it has the header below

00000000h FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 60 ; ÿØÿà..JFIF…..`
00000010h 00 60 00 00 FF E1 3A F6 45 78 69 66 00 00 49 49 ; .`..ÿáöExif..II
00000020h 2A 00 08 00 00 00 12 00 0E 01 02 00 20 00 00 00 ; *……….. …

The initial few bytes have been changed and it gives an indication that the original EXIF has been changed. If the image isnt saved as RAW, it will most likely be saved as JPEG with the Exif data included. If you find you're dealing with a GIF image chances are it was saved with an image processing app, but you cant assume this was due to alterations being made.


   
ReplyQuote
(@walkabout_fr)
Trusted Member
Joined: 19 years ago
Posts: 67
 

Exif will give you some idea of the modification of a picture, but you can't always rely on it

- Some cheap digital cameras do not add exif data (the picture will look altered when it will be original)
- Some software allow to modify a picture while keeping intact the exif metadata. On some basic software such as photofiltre, it's even the default setting.

There are more accurate technics looking at the content of the file.
Good place to start is http//www.hackerfactor.com/blog/index.php?/categories/1-Image-Analysis

There are links to very interesting articles including a great demo at black hat 07 and a working software which I havn't tested but which is supposed to highlight part of a picture that have different error levels and might have been modified.

All this won't give you a quick and easy answer to your practical problem, but it will certainly keep you busy (entertained ?) for a few hours …

Cheers !


   
ReplyQuote
xiasangju
(@xiasangju)
Active Member
Joined: 19 years ago
Posts: 10
Topic starter  

For the articles and demo at black hat 07, are you referring to the presentation by Dr. Neal Krawetz?


   
ReplyQuote
xiasangju
(@xiasangju)
Active Member
Joined: 19 years ago
Posts: 10
Topic starter  

Some more discussion is found here

http//www.securityfocus.com/archive/104/487505/30/0/threaded


   
ReplyQuote
(@kovar)
Prominent Member
Joined: 18 years ago
Posts: 805
 

Greetings,

There's no more information at that link. You simply reposted the request that you put up on the Forensics list to another forum after I suggested that you look at this forum for guidance.

-David


   
ReplyQuote
xiasangju
(@xiasangju)
Active Member
Joined: 19 years ago
Posts: 10
Topic starter  

I think you need to wait some more time to allow the forum update the replies. As I have subscribed the list, I've got some helpful comments by emails.


   
ReplyQuote
Share: