by Jade James
Digital image forensics is a niche branch of digital investigations, and the tools used are aimed to support ‘blind’ investigations. Amped Authenticate is a software package designed for forensic authentication and tamper detection on digital photos. Authenticate is used by forensic labs, LEAs, governments, the military and security organisations. Using a scientific workflow driven by forensic needs, Authenticate comprises multiple tests, procedures and reporting all in one package.
Many forensic investigations rely on the production of images to support the facts of the case. Therefore, image reliability and authenticity is crucial. Using Amped Authenticate allows the investigator to determine the authenticity of images; detect areas that have been tampered with; and identify the camera used to shoot the photo using camera ballistics. It is also possible to analyse multiple images with batch tools.There are different kinds of analysis an investigator can perform using Amped Authenticate. For example, file format analysis carries out processing to determine if an image is camera original. Global analysis looks for indicators of global modifications such as resizing or resaving. Local analysis looks for local modifications that are only found in a specific area of the image, for example, the addition or subtraction of an object or person. Camera identification applies sensor identification tools to verify that an image has been taken by a certain camera or device.
Installing and running Amped Authenticate is simple: there is no need to install extra add-ons, plugins or drivers. I was provided with an electronic license and found it easy to set this up with the software. Most common image formats are supported, such as JPEG, Tiff, Bitmap, PNG, TGA; some uncommon formats are also supported.
When a user first launches Amped Authenticate, they are presented with a basic home screen, with toolbars at the top and side of the screen. The user can add an evidence image and reference an image to start analysing. The evidence and reference image panel have the same functions: for example, loading the first image in the folder, clear evidence/reference file, and many more. It is possible to swap how the images are viewed in the output panel, and the zoom can also help the user to identify something of importance on first visual inspection.
The Filters panel is where the user can apply the different filters and carry out processing of their images. Some of the filters can be configured by the user, while some are pre-set. It is also possible to add or remove filter configurations in this panel.
The overview section provides the opportunity to have an initial glance at the reference image, without any processing or applied filters. An Evidence-vs-Reference comparison is available in most tabular filters. This notifies the user when a value (e.g. image resolution, acquisition date, file size, etc.) is different between the evidence and reference images. If this is the case, the word “Different” will appear in the “Comparison” column. Sometimes the word “Different” can be colored, so as to distinguish “relevant” differences (e.g. images have different pixel resolutions) from “innocuous” differences (e.g. it’s normal that the capture date is different).
The File Format filter checks many properties of the image, independently of the availability of a reference image. When it detects a property that is rarely found in camera original images, a red warning is presented, while orange warnings indicate that the feature is not typical of a camera original image or that something deserves the user’s attention.
The file analysis filters do not process pixels, but instead format features and metadata. The JPEG filter displays the sequence of JPEG tags in a binary stream. If two JPEGs have been taken by the same device, these tags should be similar. The Hex Viewer is another quick filter which will allow the user to identify differences in two JPEG images and search for an offset, string of hex or ASCII.
The EXIF filter presents all the useful metadata such as camera make, model, settings, times and dates. EXIF data can be altered, so it would not be wise to solely base a case on the reliability of EXIF, but I was able to verify some of the results my case returned, such as GPS coordinates.
JPEGs are often referred to as having ‘lossy’ compression. Quantization of a JPEG image happens after the Discrete Cosine Transform (DCT) process (DCT is used as part of the JPEG compression process – images are divided into blocks of 8 x 8). The JPEG QT filter available in Amped Authenticate further allows the user to compare JPEG features. It is also possible to save the evidence and reference QTs to the database, and to review existing QTs in the database, in which there are approximately 14,875 quantization tables.
When an image is uploaded to a social media platform, it will go through certain changes. For example, image may be renamed, resized, stripped of metadata (including the EXIF data) and recompressed.
Likewise, downloading an image means it will go through certain changes. Amped Authenticate can identify whether an image has been downloaded from 10 different social media platforms (Facebook, Flickr, Google+, Imgur, Instagram, Telegram, Tinypic, Tumblr, Twitter and WhatsApp) using signature analysis. Users can also add other images from these or other social media platforms to create their own database.
Sensors can have defects, making them produce “noise” in pixel values. This noise can result from pixel defects, fixed pattern noise (FPN) and photo response non-uniformity (PRNU). PRNU is a pattern that is present in images, and this pattern is unique to a specific sensor. The PRNU pattern is present in every image made by a specific sensor.
Using the PRNU and other image ballistics techniques, Authenticate will detect the noise made by the sensors and compare it to a reference pattern from the database. Users can also choose to compare the PRNU pattern of the evidence with a reference image. There is a pre-set threshold of 45; if the image meets this threshold, then this would mean that it was mostly likely taken with the specific camera in question. The threshold can be customized in the Program Options. Reference patterns are added to the database via the examination of images from different sources.
The Software by default uses 50 images from a reference device to calculate the reference pattern. There is also an option to ‘Analyze all images in Evidence Folder’, which is great because it returns a table of PRNU Analysis results with the same values as before (Compatibilty, PCE value, Threshold, Best Match, Cropped Region and CRP MD5), but on a larger scale.
A JPEG Ghost describes an original image which has been compressed with a different JPEG quality. This can either affect the whole image, or be localised to a specific area of the image. This filter was designed to detect whether any areas in an image have different compression quality.
Image compression quality is estimated, then the image is recompressed with that quality in mind. Statistical distribution and the Kolmogorov-Smirnov test are also used to calculate results.
The Noise Map will allow the user to view noise inconsistencies in an image. As you can see from the image, I used the iPhone app ‘Focus’ to blur areas on the face in the picture. With the filter, you are able to clearly see these areas, but also notice that the noise in general has changed in the reference image. The ‘4-4’, ‘4-8’ and ‘4-16’ filters are in relation to the DCT size and the Filter Block size.
Batch processing allows the user to process all the images in the evidence folder. The user can also choose whether to process the images against all the filters and their configurations, or just to select a few for processing. The more images and filters you select, the longer the processing will take.
Once the processing is complete, the user will be provided with all the images from the filters and a link to view the images in a web browser. The report produced by batch processing provides a comprehensive breakdown of every filter.
Batch File Format Analysis and Comparison quickly inspects the images. It then outputs either the details of the format in a table, or compares the file formats of all the images in the same folder as the evidence image.”
Smart Reporting is an excellent feature of Amped Authenticate. A Smart Report is generated in HTML format, complete with hyperlinks, to help the user to easily navigate around the report. Images are separated into ‘likely to be camera original’, ‘images with suspect metadata but no trace of forgery’, and ‘images with traces of possible forgery’. The generation of a Smart Report is much faster then Batch Processing, because it only includes images with suspect metadata that have been processed with localisation filters.
Amped Authenticate is simple to navigate and provides an intricate analysis of the images associated with a case. Those without a background in digital image forensics may struggle to understand the results in full, however Authenticate gives enough of an overall picture to allow any digital forensic investigator to understand which results need to be explored in more detail.
In the past, digital forensic investigators would have to carry out separate procedures to process images related to their cases. This can be time-consuming and often would be unverifiable as the process could not be repeated. With Amped Authenticate, various types of processing are all available in one tool, which is remarkable.
This is definitely a tool for investigators who deal with image verification and tampering on a daily basis, for example in an audio/visual laboratory; its specialised nature makes it less suitable for entry-level investigators, but a valuable piece of kit for anyone who specialises in the audio-visual field.
Jade James BSc (Hons) is currently a Cyber Security and Forensics Postgraduate Student. She has previous professional digital forensic experience from working at the UK’s Serious Fraud Office, IntaForensics, the Home Office Centre for Applied Science and Technology and the City of London Police. Jade has experience of conducting computer and mobile device examinations as well as drone forensics, and has been involved with ISO 17025 & Quality Standards both as a digital forensic practitioner and quality manager.