The following transcript was generated by AI and may contain inaccuracies.
Massimo Iuliani: Welcome everybody. Just a few words about me before starting. I’m not an engineer, but I studied mathematics and have a different theoretical background. I’ve worked extensively in image and video authentication topics. I worked with the University of Florence for several years on projects funded by the European Commission and DARPA, all related to authentication and reverse engineering of multimedia content.
Being in the university, I worked extensively in research and I’m co-author of several papers in peer-reviewed journals related to multimedia forensics in general. I also have experience as an expert witness in multimedia forensics in Italy. I think this was really useful for me because I was able to look at different points of view since this topic brings together scientific research and very technical issues, along with the need for people to understand and use these tools and explain them in an easy way.
Before starting, I’d like to explain why we’re making this webinar. The main issue is related to the spreading of these new technologies that allow people to create good manipulations, even if you’re not an expert. You can use text-to-image tools, ask for anything, create good manipulations, and edit specific pieces of images to create very realistic manipulations. On the other side, we really rely on our eyes and our senses to determine what is real and what is not.
Based on our experience and some tests we’ve been conducting, we’ve noticed that people are not very good at determining what is real and what is fake. Just to give you an example, here we have a couple of images. If you want to guess which is real and which is fake, you can try answering in the chat to share your thoughts. We can now create highly realistic images, but sometimes we can make confusion between what seems synthetic and what simply has high resolution or high detail.
Take 10 seconds to try to guess, and then we’ll see another example to build the case for why we need several tools available to determine what is real and what is fake. I see there are some answers in chat. One is real, one is fake, and don’t worry if you made a mistake because we don’t expect people to be able to guess correctly.
Let me give another example to have fun and understand how our brain works when trying to determine what is fake and what is real. We are Italian, so we like to eat good food and drink good coffee. We also need to take lots of pictures to invite you to drink and eat in our restaurants. Again, you can try to determine if they’re real or fake. I understand they look good.
We don’t really need to understand now if we are good at this or not, because these are just samples. But I think it’s good to understand how our brain works when we try to say, “Is this coffee real or is it fake?” How do we decide? Do we decide based on quality, details, resolution, contrast, or something else? As you can see, we can have very different opinions and we take time to decide. In this case, unfortunately, they are both fake. I’m sorry because they look very good.
These examples are just to show you that it’s very hard. We conducted a big test on this with 20 images, asking people—we don’t care if they are naive or extremely expert in multimedia forensics—to choose whether the image is real or not, just based on visual analysis. Here’s the result we achieved so far. As you can see, we have results from zero to 20 correct guesses, and the distribution shows that on average people get 10 out of 20, meaning half the results are correct. So it’s like flipping a coin.
This means that unfortunately, we are not very good at determining what is real and what is fake. If you think you can do something better, we would really appreciate if you can try the test and see if you can achieve better results. You can scan this QR code, or maybe Michelle can share the link in the chat. You can take the test—it’s completely anonymous and will only store the score. Of course, we’ll provide you with your score.
It’s good to understand how good we are, and the truth is that we are not good at this task. That’s why this is our starting point: we are not good at determining what is real and what is fake. This webinar will show some new techniques that can be used to authenticate images. Since this topic is very complex, we also need some background information, so we need to show at least the basics and principles of how we work in image authentication for different cases. Then we’ll open Amped Authenticate and see examples in practice.
Of course, we will not go into all the details. I will try to find the balance between explaining the basics and principles, but we cannot go too much into detail because there’s a full week-long course on these topics. We’ll try to find the balance. Furthermore, we will see how to combine different tools to provide lots of information related to the image lifecycle, and we’ll also see how to describe and properly interpret some results that we can achieve from our forensic analysis.
Please feel free—as Michelle was saying—if something is not clear, if you’re curious, or if you want to share your experience on some topics like this, you can use the chat. Don’t worry, I will try to answer at the end.
Main Forensic Principles
Massimo Iuliani: What is the main forensic principle when we take a look at an image? If we are naive, we just look at the image content—the visual content of the image. But if we are forensic experts, we need to remember that behind the image there is a huge amount of information. The image, first of all, is a file—a digital file that has a container. It’s a package of data, and this package contains data in a structured way depending on the type of file.
Furthermore, within this package that we can imagine like a box containing things, we need a list of information related to the data, and these are the metadata. It’s like textual information related to the image content. For instance, if we acquire with a specific camera, we expect to find in this textual information the brand, the model, the acquisition date, maybe GPS coordinates, technical specifications of the lens, the firmware—lots of information that can be used to analyze the image and check the consistency between this metadata and the image content.
Then we have some more advanced information called coding information, which is what our computer needs to decode the image and read it. Image pixels are generally not stored as raw data, but we encode them in a specific way. When we double-click with our mouse, the data are decoded based on the coding information to show the image. This coding information can be customized based on the brand, model, or specific software used, so they can leave huge and relevant traces to understand the image lifecycle.
Finally, last but not least, we have the pixels—not the decoded pixels, but the encoded pixels. So it’s a data stream that is encoded based on the coding information. We have lots of information available to analyze the image. So how can we use them when we have a malevolent user that tries to edit or synthetically create a digital image?
What happens is that all this data can be modified, can be partially created, or can be partially deleted. For instance, if you modify an image with software, some metadata will be changed. If you create an image with an AI-based system, some metadata can be created based on the system you’re using. If you manipulate an image with standard software or AI-based software, afterward you need to save the image again, so you are altering the coding properties and compression parameters of the image.
Furthermore, if you modify some specific portion of the image—for instance, if you want to remove a part or an object, or you want to modify a face—you are altering the pixel statistics. When you acquire an image, the process of acquisition introduces several correlations among pixels. When you modify a portion of the image, you are altering, removing, or adding some specific artifacts or patterns. You can add correlations, remove correlations, remove sensor patterns, and so on.
Furthermore, even if we exclude digitalization and focus on the digital domain, we have to remember that an image is a 2D representation of a 3D scene. When we acquire a 3D scene onto an image, we apply some projective transformations that are subject to geometrical rules. We expect that some shapes must satisfy some rules. Shadows must be consistent according to specific rules that link the light source with the cast shadows, reflections must be consistent, perspectives must be consistent. Similarly to the previous examples we made, we are not very good at determining if the perspective is correct or if the lighting is consistent.
So we have a big world of things that we can analyze. Rather than taking a look at all these things, we’ll start from some quick cases. We will touch on some advanced tools that we released in Amped Authenticate, together with other available tools that can be combined with them to provide much more reliable information and findings on the image.
Case Study 1: Metadata Analysis
Massimo Iuliani: Let’s start. Let’s suppose that this image is provided, and this image is supposed to show a famous person at a specific moment in time. We want to use this image as evidence that this specific person was there at that specific moment. Let’s try to analyze it and determine which tools we need to use in this case.
We’d like to understand if the image is native and reliable in content—meaning it hasn’t been modified. We want to check if the metadata are reliable, so we can verify, for instance, if the image is expected to be captured from a specific camera and we see in the metadata that we will find that specific camera. Then we expect that if the image is native, we expect a specific resolution, some specific metadata, creation date, modified date, compression schemes that must be consistent with the specific brand and model, and a specific file structure from that brand and manufacturer.
How can we analyze this? Of course, we cannot have the experience of knowing all these details for all models. In Amped Authenticate, we can exploit two tools. One is to use an internal database—we have more than 14,000 images belonging to different models and reference cameras that can be compared with the questioned images. We can also use external services to download images and filter those images based on some parameters of our questioned image, to find images that should have the same structure as the questioned image, and then we can make decisions.
Let’s try. We’ll open Amped Authenticate and load our first image. Let’s go and check immediately the metadata. I go to the metadata and I can see clear traces of expected original metadata. For instance, I can find specifications of the lens, which means this belongs to an iPhone 13, and we see that this image is full of metadata.
We can also check, for instance, if the modified date and the created date are the same. As you can see here, the modify date is the same as the create date. The image is supposed to belong to an iPhone 13, so metadata seems to be consistent with a native image. But let’s go deeper.
For instance, let’s take a look at the thumbnail. We know that when you save an image, within the image itself we save other small images that can be useful when, for instance, on our computer we need to see the preview of the image. So you don’t need to decode the whole image—you have these smaller images that can be decoded for the thumbnail preview. Let’s check the thumbnail of this image. If I check this thumbnail, I can see that the content of the thumbnail that is supposed to be the same as the image content is very different.
I think this is a huge problem for the integrity of this image. Maybe the only check I would do is to verify if this could be a bug of the software. Something I can do is download through—for instance, in Amped Authenticate we can download similar images from Flickr and Camera Forensics belonging to the same model to see if this may happen. I already did this and found a few of these images, so I can load them as reference.
I can see, for instance, that in this case I have a thumbnail, and the thumbnail of course has the same content. Then I can compare the metadata again, but I don’t find something really strange. There are a few differences that should be explained, but the problem is not clear. I can do something else. If I check the EXIF data, I also notice that we have GPS coordinates, so I can try to see where this image has been taken.
It’s easy with Amped Authenticate because I can go to tools and show image location on Google Maps. I can see that this image has been captured here—we are at Budapest, so we can go here with Street View. Now this suggests something to me because if I look at the thumbnail, it seems that the content is very similar.
Let’s open again, let’s open the thumbnail, and maybe I can remove this image and I can see that here I have a river, maybe here I have a bridge, and here some stone—I don’t know what, maybe a statue. If I check again, I can see that I have the river, the bridge, and possibly the statue. In this case, I verify that the GPS coordinates and the metadata are strongly consistent with the thumbnail, so this hidden content that is very different from the original content.
This result, in my opinion, at least based on my expertise, strongly supports the hypothesis that the image is not reliable at all. One explanation could be that we took an image, then we copied the metadata of another original image onto the questioned image, but by mistake we also copied the thumbnail. This would justify the fact that the GPS coordinates of the metadata are strongly consistent with the thumbnail rather than with the image content.
This is just an example of how we can combine several tools, even available tools, to determine if an image has been modified or not. In this case, we noticed that the model was compatible with some metadata that we found, we saw that the thumbnail content is different from the image content, and we verified that the GPS location was consistent with the thumbnail rather than with the image content. So we can say that the image is unreliable.
Case Study 2: AI Detection and Reflection Analysis
Massimo Iuliani: Let’s move to another case in which we try to combine available Amped Authenticate technologies with new interesting tools. Let’s say that now the question is very clear and very trendy: Is this image synthetic or is it authentic? How can we work? The dream of everybody is to have a tool where you can drag and drop the image and the tool will say, “Don’t worry, it’s synthetically generated. Period.” And you’re done. Unfortunately, it can’t work like that for several reasons.
But we can certainly use a deepfake detector to determine if there are some compatibilities in the low-level traces of the image. We can determine if we can find the footprint of some synthetic generation models. This is one key point, but there is also another point. We have reflections. Reflections are a very peculiar thing to find in an image, and based on what we were saying, this reflection must satisfy some geometric rules.
I’ll try to explain in one slide which is the principle. This is an image—an original image with an original reflection. What happens? Let’s take a look at this drawing here. We have an object that is reflected through a mirror. When you look at something through a mirror, it seems that the object is on the other side of the mirror at the same distance from the mirror. If you connect any point of the object with its mirror part, you will have lines that are all parallel because they are all orthogonal to the mirror.
When you acquire these parallel lines through your camera sensor, you have that the parallel lines will converge in the image. For those of you who are familiar with vanishing points, this is very trivial. For those who are not familiar, please think about when you drive on the street—the lines on the street are parallel in the 3D world, but if you look at them with your eyes or in your image, you will see that these lines will converge. It’s exactly the same principle.
So you have parallel lines in the 3D world, but you have a vanishing point—converging lines in the image. You expect that in this image, for instance, if you connect the ear of the girl with the reflected ear, the line connecting these two points will intersect the reflection vanishing point. This means that if I connect several points with their reflections, all these lines will intersect at the vanishing point.
This is in theory in the analog world, but since here we are in the digital world, we have that we can select a point up or down, and maybe different experts choose slightly different points. How can we solve this issue in the forensic world to guarantee repeatability? We say, “Let’s consider this hair, the edge of the hair here. Then we’d like to connect this point with the corresponding reflection point of the hair, but which one?” We select a wedge—an interval—and this determines a wedge in which we should find the reflection vanishing point.
If we do this with several points with their reflections and we intersect all the wedges, in the end we expect that the intersection of all the wedges will contain the reflection vanishing point. Yes, this image is real—sorry, I’m reading the question. It’s real, it’s just to show how it works. Indeed, in this real image, the reflection vanishing point is contained in this yellow region.
If we find a wedge that is incompatible with the intersection of all the other wedges, this means that the image is unreliable because it does not satisfy the projective requirements. A long explanation to try it on this image. Here we have a couple of tools: one very advanced tool for diffusion model detection, the second model-based for detecting the consistency of reflections in an image, and then we can combine these results.
Let’s open the second image. First, let’s open the diffusion model deepfake detector. This tool is designed to detect images that are compatible with any of the most famous diffusion models, which is the most important technology to create deepfakes. We use it, and as you can see, the system is trained on some of the most famous diffusion model-based tools for generating images like Stable Diffusion, DALL-E, Midjourney, and Flux.
Here you have a result of compatibility with any of these models, plus of course “not compatible with a diffusion model.” Since these tools are data-driven, we must remember that if a new tool comes on the market and the detector is not still trained on it, maybe it is not able to detect that specific model. In this case, we expect that the image falls in the “not compatible with diffusion model” category, meaning that the image can be AI-based with some unknown models or can be real.
But in this case, fortunately, we see a very strong compatibility with Midjourney—it’s 0.97. We shouldn’t read this like a probability—it doesn’t mean 100%. But we can say that the tool is strongly confident that we have a huge compatibility between the questioned image and Midjourney. This is a huge clue. We’ll try to combine this with the reflection analysis, so we can open the reflection analysis.
I already started it, but we can do it together. We can restart the project. How does it work? Let’s say that we have some points that we can connect. I would say the lips, maybe the corner here of the lip. Let’s say from here, we can connect this—I don’t know—here, or maybe here. Let’s create a wedge like this.
Now we know that the vanishing reflection point should be somewhere in this wedge. Let’s do the same with other points. Maybe we can go with the eyes and start from the corner here of the eye. We can link—I don’t know—here or here. There is a question: “Is there a certain numerical range that we can trust?” Not exactly. This technology allows you to decide which is the range. If you’re unsure, you can do like this and say, “With this, I’m sure.”
Maybe we can delete this. That’s why we have wedges. So now I would say something here. I can show how to make this line because now we can choose another point. Let’s use this connection point here. I’m looking in the middle of the mouth, let’s say here. This point is the reflection of this point, but which exact point? To avoid misinterpretation, it is good to decide a wider wedge to be sure that the corresponding point is contained within it.
Now, as you can see, the system became unfeasible. Furthermore, I can keep adding points. For instance, if I select this point here, this should be connected to some point here, at some point on the external side of the ear. So maybe between here and here, but the system is already unfeasible.
Until we have a couple of points like this, we can see the feasible region, meaning that we expect the reflection vanishing point to be somewhere here. When we put too many constraints, if the image is real, we expect to have the intersection; otherwise we don’t. In this case, we can see that the reflection is technically speaking inconsistent.
This is a huge clue because although we have the deepfake detector that is sure, or almost sure, that this image is synthetically generated, if I have to go to court, on one side we have the tool that is very effective because it gives you the answer. But the inconsistency of the reflection is extremely powerful because it is model-based, it is easily explainable, and on this side is a stronger weapon to say that the image is inconsistent because it’s not data-driven, but it’s model-based.
Very useful to see how we could combine these new tools—one that is focused on AI detection, the other one that is more general, analyzes the physical inconsistency, but is also model-based and has a strong background. This specific tool—we made lots of tests, a formal description of the reflection inconsistency analysis, and these results are published also in a paper that you can find in the slides where we also discovered that different synthetic generation models have different capabilities in generating consistent shadows and reflections. So the answer is that yes, it’s fake.
Just to summarize what we understood on this example: AI-based tools, like physical-based tools, cannot really provide a probability. It’s up to our expertise to combine the results and decide which is the weight in deciding the answer. Furthermore, especially for the data-driven tools, we have to remember that if you’re taking an image from the wild, from anywhere, we should consider that the AI-based tool—the data-driven tool in general—can lack some information.
We should take care in using these results in general, while the physical-based tool is extremely effective, independent of compression, independent of the image lifecycle. If you find any inconsistency, it’s a physical inconsistency—it’s model-based, so boom, you are done. Even if it’s more generic—you cannot say it is generated with Midjourney—different tools provide different information that can be combined for an overall result.
This is just a note that we’d like to share because it’s important to be informed when we use any data-driven tools. Remember that when you have numbers that describe a confidence or a compatibility that is the output of a tool, they cannot be generally linked to probability. If we have a tool that provides 0.99, it doesn’t mean that we have a probability almost one of something. The short answer is that we can never link this output to probability.
If you’re curious, we had a long webinar on this, so you can scan this QR code and take a look at it. It is generally recommended when we use any tools to use compatibility-related words rather than probability terms to avoid misleading results and sometimes also big mistakes. The tools work well—we have to work well also in the interpretation.
Case Study 3: Shadow Analysis
Massimo Iuliani: Let’s make another example. In this case, I would like to start from the ground truth, so we see how the manipulation is built, and then we see how to detect it. I think this is really interesting because it is good to see also how images can be created to create a really realistic manipulation.
Let’s use a text-to-image tool, which means that you have a prompt, you put a prompt and say “please imagine this,” and the tool provides you the image. I want to imagine a group of refugees facing the sun, and here’s the result. But now let’s say I want to modify the information within this image, so I’m not satisfied, and I add the prompt: “Please add a tent in the upper left corner of the image.” And the tool adds the tent.
I’m not satisfied yet, maybe with the identity of the person in the center, so I ask, “Please add a woman in the middle with a different dress.” And boom. Now this is the fake image. We don’t care exactly what we’d like to explain with this image. How can we analyze this? Of course, by using a deepfake detector, but also in this case I can notice that we have shadows. Here you can see these people with cast shadows, and also the woman has a cast shadow here.
Can we again combine deepfake detectors with shadow analysis? Let’s go and check this out. Again, I will try in one slide to explain how this works. The main principle is that if we have a light source and then we have objects, the cast shadows are built in a specific way. If you connect the light source with any point, the connecting line will also intersect the corresponding point of the cast shadow.
Why is this very useful? Because if you link a point with its corresponding point of the cast shadow, the line will also intersect the light source. If you do this with several points and their corresponding cast shadows, in the end you expect that their intersection in a real image will intersect at the light source.
This is a very trivial case in which we connect cast shadows with the corresponding points, and as you can see, we almost get the light source. This is useful similarly to reflection because it is explainable, it is model-based, and it’s also immune to compression because even if you have a very low resolution image or strongly compressed image, this is a geometrical property. This means that it still stands after the compression.
Let’s make an example of how it can be used to detect the fakes. For instance, if you have a real image, again, similarly to reflection, we’re not using lines, but we are using wedges to avoid misinterpretation or disagreement among experts. Here you can see that the region contains the light source.
Let’s take this Midjourney image. If we consider the people and their corresponding cast shadows, if you intersect the wedges, you can find an intersection. So in some way, Midjourney is creating a sort of consistency in this image between shadows. Fortunately, Midjourney still doesn’t know that the light source should be in this intersection, so in this case we can conclude that the image is not reliable.
In this case, I’m not opening Amped Authenticate to save a bit of time, but if you analyze the cast shadows—you create the wedges here and here—you will find that there is no region. Again, in this case we have two different tools: the physical-based tool that is saying the image is not reliable, plus the deepfake detection tool that is saying that the image is a deepfake.
Maybe we can check what Amped Authenticate says about this image. As you can see, the image is strongly compressed here. I think this is not the original image, but it’s a recompressed version. Let’s see if we are lucky, meaning that Amped Authenticate still finds traces of synthetically generated images. As you can see, it finds high compatibility with Flux.
So on one side we have a strong hint that the image is synthetically generated or manipulated, together with a model-based tool that is strongly effective in giving reliability to your results. I see a long question—maybe I will read it later. Is that okay for you? A lot of questions. Please give me some minutes so I will close and then we’ll try to answer them.
Since this webinar is more designed to understand how we can use tools and advanced tools, if you want, you can check on the blog for other tricks to spot deepfakes. You can scan this QR code because there are several bugs that can allow us to detect if an image is generated by a specific architecture because they have some specific defects.
Case Study 4: Compression Analysis
Massimo Iuliani: Let’s make one last example that is related to checking integrity of an image. We have this image and we are asked to determine if the image is camera native or it has been processed in some way. Is the content reliable or not? Again, here I would like to show you another advanced but very generic tool.
We need another piece of theory that we’ll try to summarize in one slide. When you acquire an image—when you click on your smartphone—several things happen in your camera. The 3D world passes through the lenses, the optical filter, a color selection pattern. Then the image is digitalized, so we have sampling, we have interpolation of the colors, we have in-camera software processing, we have a specific compression pattern, we add specific metadata and so on. In the end we have our image.
Why is this important? Because all these pieces leave specific clues in the digital image that can be used to verify if the image is native or not. If the image is native and it has never been touched, we expect to find exactly those traces. If you modify the image in any way, you will apply some additional processing. For instance, you remove something, so you’re changing the statistics there, or you are resampling the image, or you are adding things, or you’re cloning things in the image, or you’re changing a face.
So you’re processing a part of the image, changing the statistics of the pixels, changing maybe the perspective if you’re changing the position of some objects. Then you need to save the image again, meaning that you’re applying further compression to the image. This means that you are partially deleting the traces of the original image and you are adding some specific clues that are related to your processing and to the manipulation itself.
During this process, we delete original traces and we add some other traces. This is extremely useful to check the image integrity, especially because if you manipulate an image and you compress it again, you have an image that has been subjected to compression because you acquired it, then manipulation, then compression. When you have a manipulation between two compressions, we don’t care if you use the most reliable and effective AI-based tools—there are some technologies that allow you to spot it independent of the technology.
Let’s check how it works. Let’s open Amped Authenticate and let’s load this last example. Of course we can try to visually analyze this image. I see here something strange, but I don’t rely on my eyes. First of all, we go to the metadata. First, the file format and Amped Authenticate quickly give me some hints on where to start.
The first thing to be noticed is that the create date is different from the modified date. This is immediately a hint that the image is not native, but we know metadata can be unreliable. But let’s start from here. Then we see that the image is expected to belong to a Google Pixel 7A. We have an unexpected compression scheme.
Let’s open the compression schemes. Here, Amped Authenticate provides, based on the database that we have available, which compression schemes are compatible with the one of the questioned image. We have thousands of images belonging to several models, and we find compatibility in the compression scheme between the questioned image and these models here.
As you can see, we can also find here a Google Pixel—a Google Pixel 4 XL. We don’t have in the database Google Pixel 7A yet, but it seems that the compression scheme is compatible with the Google Pixel. So the compression is compatible with the Google Pixel, but the image has been processed after the acquisition. What could be the reason?
Let’s take a look at the metadata. Of course, the analysis could be longer if you don’t know where to look. Let’s take a look at the metadata and—oh, here I see “Edited with Google AI.” So this is a hint that either within the camera or after the modification, the image has been processed in some way. We don’t know exactly what happened, but we have now two hints that the image has been processed.
Maybe it has been processed with Google AI, we don’t know, but if it has been processed after the acquisition, it means that the image has been compressed twice. If it has been compressed twice, we expect to find some anomalies. Of course, we would need the full course to understand which anomalies we should find, but I will show you and quickly explain.
When we look at an image in the frequency domain, we can see this kind of plot. When the image is compressed twice, we expect that this plot exposes peaks and valleys like here. As you can see, we have peaks, valleys, peaks, valleys. So it’s exactly what I expect when I see an image that has been compressed twice. This is another strong hint that the image has been compressed twice.
So we are building the story: the image has been acquired, then since the modified date is after the create date, it means that something happened, maybe with Google AI because we’re reading the metadata, and then the image has been compressed again. So we have two compressions, and this is confirmed by the analysis of this DCT plot.
If it has been manipulated in the middle, we can use a tool that localizes manipulation when an image has been compressed twice. Remember, I don’t care if you used AI or not, because this tool analyzes the inconsistency between the two compressions. It is robust to any AI technology in this sense. Let’s try to use it—it’s the ADQ JPEG tool.
Boom. Very clear. We can find a piece of the image with a compression scheme that is completely inconsistent with the rest of the image. If we swap—now, maybe now that I have the hint of the software, maybe I can go and visually see if I see something strange. I have to say that visually speaking, I cannot see—yeah, maybe here I can see some traces of compression, some edge, some strange edge. But I couldn’t say that this is manipulated from these edges.
But fortunately, this tool that is very effective, especially when the compression quality is high, exposed that the image has been likely processed in this part. Again, here we combine things to reach an explanation of the lifecycle of the image.
Just to summarize, we analyzed metadata and saw that Google AI was used and that the image was modified because we have a modified date after creation date. The frequency analysis revealed traces of double compression, and then the manipulation was detected through the ADQ JPEG tool. We also found the original image, and as you can see, we have this thing here.
This case is very interesting because we were able to determine even a small manipulation. This is not always the case—of course, it depends on several factors. In this case, the manipulation was made after the acquisition through some internal software within the smartphone. We didn’t go outside of the smartphone, but please remember that we’re starting to see that AI processing sometimes happens inside the camera.
Within your click, you also have some AI-based processing. That’s why we shouldn’t rely only on tools, but we also have to use our knowledge to understand the background information and see what to expect.
I’ll just give you a couple of examples. One is this Samsung phone that uses super resolution and scene optimizer where you get an image like this that you see here, but then the optimizer provides a very detailed image. Are these details real? Who knows? It’s not the topic of this webinar, but it’s something that we should consider with attention.
Another clear example is again Samsung Galaxy S21 S23 with this remastering feature. We got this picture and then the tongue was changed into teeth. Of course this is a change of the meaning of the content, but the image technically speaking is camera native. What is the boundary between integrity and authenticity? It’s something we should consider because this boundary is getting thinner and thinner.
Summary and Conclusions
Massimo Iuliani: Just to summarize what we did, we analyzed a number of cases, and we saw that each case required some specific weapons. Fortunately, Amped Authenticate is well equipped and we keep updating it with the most advanced tools. We saw cases in which, for instance, we found inconsistencies between the metadata and the image content because we had hidden content with GPS coordinates that were consistent with the hidden content but not related to the image content.
We saw cases in which deepfake detectors can be used and combined with physical-based detectors to spot that the image is completely unreliable because they were synthetically generated and manipulated. We also saw that format analysis in the last case could reveal AI traces and we could also spot the manipulation. I think it’s important to note that the last case was very useful because we used a tool that is not explicitly designed for AI to detect AI, but can detect any manipulation—AI-based or not—when the manipulation is done within compression.
So it can be used in several cases. If you are thinking, “Do I really need all this technology?” If you didn’t make it yet, do the deepfake detection test, try to visually detect deepfakes, and then if you get 20 out of 20, yes, you are our expert. Thank you very much.
