Return to Digital Photography Articles
JPEGsnoop - Identifying Edited Photos
by Calvin Hass © 2009
Details regarding the use of JPEGsnoop to detect edited photos
Ever wondered if that UFO photo or sasquatch sighting is a fake? ... or if that camera manufacturer's sample images have been touched up?
Simply open an image in JPEGsnoop and scroll down to the section titled, *** Searching Compression Signatures ***. This option can be enabled/disabled with the Signature Search item in the Options menu.
The utility will compare the compression characteristics of the photo against an internal database of thousands of camera "signatures" to locate a match. If a match is found, the matching digital camera or editor is shown. If the signature matches a photo editor (such as Photoshop), then there is a good chance that the photo has been edited (i.e. not original!).
The assessment line indicates one of four possible outcomes:
- Class 1 - Image is processed/edited
- Class 2 - Image has high probability of being processed/edited
- Class 3 - Image has high probability of being original -- NOTE: Please see description below!
- Class 4 - Uncertain if processed or original
|Image is Authenticated as very likely original|
What is "Original"? How confident can we be?
It is virtually impossible for any software to ever guarantee with absolute certainty that a file or image has not been modified in some way. Even files that have an integrated cryptographic hash (eg. SHA-1 or MD5) could theoretically be altered to give a false positive integrity check, albeit unlikely. Apart from the use of cameras providing tightly-integrated authentication features (such as the Canon 1Ds / 1D mk II with the Data Verification Kit DVK-E1 / DVK-E2), it becomes a formidable task to prove that an image is guaranteed to be in its original, unaltered state. It is a much easier task to prove with certainty that an image has been processed / edited (ie. not original).
JPEGsnoop can be used with reasonable confidence in identifying "processed" images, but what can we draw from the tool's assessment that an "Image has a high probability of being original"? ... only that the JPEG compression "signatures" and certain metadata elements match those expected from the indicated camera model(s). Note that assessment "Image is Original" is not used, for this reason.
Is this sufficient information to prove that an image is "original"? In a word, no.
Important Note: For this, and related reasons, the tool should not be used as direct evidence for legal investigations!
It would take a very specialized set of tools to create a false positive "original" from an altered image. It is possible, and I have proven this in my own development. However, in most circumstances, it is highly unlikely that a set of JPEG analysis tools have been used to produce such a fabrication. Even if the compression signatures and metadata were altered carefully to match, there is an array of advanced image content analysis techniques (eg. statistical noise analysis, etc.) that could then be applied to further identify possible alterations.
More interesting perhaps, is that some new digicams allow for a limited set of in-camera editing facilities. These digital cameras may allow for an externally edited photo to be brought back into the camera for resaving (via the editing functions). This mechanism may indeed enable an image to present all of the hallmarks of an "original" image (matching metadata and quantization tables), but bare no relationship to the original captured image.
Video Frame Analysis
JPEGsnoop's image assessment functions are not designed to be performed on JPEG frames extracted from video files (eg. AVI MJPG). In most cases, these will report as "Processed/Edited".
Therefore, while JPEGsnoop cannot absolutely guarantee an image's authenticity, it can be used to indicate with reasonable probability that an image has not been modified. If authenticity must be "proven", further analysis methods would be required. On the other hand, disproving an image's authenticity is accomplished quite easily (provided that the original image camera's signatures have been captured in the database)
Images that are not "Original"
There are many reasons that images may be flagged as being likely "processed / edited", including: the image was altered in a photo-editing program (such as Photoshop), resized before emailing, re-compressed for submission to a website, or simply processed from another image source such as RAW. Note that RAW images are generally converted to JPEG (via ACR or other software) for general-purpose output. The fact that the camera itself didn't encode the JPEG image is what leads it to be marked as processed / edited. Of course converting from RAW does not necessarily mean that any modifications were made to the image content. Nonetheless, there is no way to prove that from the resulting JPEG, so it is marked as being "processed".
You would be surprised at how many images on the web are apparently original, but are quickly revealed as being edited / post-processed. For example, even some of the "Sample Images" on Canon's official website have been edited in Photoshop, using Save As quality 10. The following is one such example #3.
In this example, Canon may have simply enhanced the sharpness or increased the saturation, but one could easily see how it could be misused.
|Canon's Sample Image example was edited!|
Matching IJG Library Signatures
In some cases, JPEGsnoop may determine that the image's signature matches the digital fingerprint characteristic of IJG's compression quality scale. This scale is based on a formula that generates DQT tables based on a quality value from 1-100. The majority of image editors that provide a quality scale across this range use the same formula to generate their compression tables.
Once JPEGsnoop has determined a match, it will list out several known editors that use this particular scale, as they are all candidates and can produce the same signature.
Submit your own Compression Fingerprint / Signature!
While the built-in database includes thousands of signatures, not all digital cameras or software editors have been analyzed. If JPEGsnoop does not recognize the digicam or software editor, you have an opportunity to submit the compression signature to the JPEGsnoop database (stored on your computer and in the shared database).
If you know the origin of a file (i.e. you took a file direct from your digital camera, or the file is direct from saving within a photo editor / image processing program), then you are invited to submit the compression signature with the Add Camera/SW to DB... command. A dialog box will display the calculated compression signature unique to that file, along with a request for some additional details:
- What is the source of the file? Was it direct from your digital camera or has the file been processed / edited?
- The name of the software (e.g. Adobe Photoshop), if the file has been processed (i.e. no longer original).
- The image quality setting. In this field, you are requested to enter the quality setting (if you happen to know it). Digicams generally provide the user with a selection of up to three image quality modes (e.g. superfine, fine, normal). Similarly, if you have edited / processed a file with software, you are often given the choice of JPEG quality (e.g. high, medium, low, 70, etc.).
When submitting the compression signature to the database, no identifying information or image content is captured -- only the compression signature (a long series of digits) and setting info.
Local User Database
When you add a camera / editor to your database, it is included in all future searches for compression signatures when processing photos. If you want to modify or clear this list (for example, if you entered information that was invalid), then you can use the Manage User DB option.
JPEGsnoop stores the local user database (and configuration options) in the following location:
<Profile Drive>/Documents and Settings/<User Name>/Application Data/JPEGsnoop/
In Windows 95/98 (or in operating systems where the User Profiles haven't been configured), the data file is stored in the same directory as the executable.