Forensic Photograph Tampering and Malicious Editing Analysis

photo tampering and malicious editing analysis

Forensic Photograph and Still Image Tampering and Malicious Editing Analysis

Do You Suspect tampering or editing of a Photograph or Still Image has taken place? To determine whether a photograph has been tampered with or otherwise maliciously edited in order to deceive or mislead, the authenticity and integrity of the file must be assessed.

It is also important to provide information as to all and any handling of the photo i.e. who, what, where, when and why for each instance where someone handled the file or something was done to the photo or image, such as copied from one machine or system to another, file was renamed, file was edited in any way, changed into another format or burnt to disc etc.

To minimise costs and maximise results, please provide as much guidance as possible. What has caused you to believe the file has be modified in some way.

A lack of information about the origins and/or handling of the image typically results in an inconclusive outcome.

Handling and Documentation

Depending upon the handling and claimed origins, additional work may be required to determine the presence or absence of the photo, or other versions of the photo, on other synchronised or backup devices, or cloud storage areas linked to that user.

A device of the same claimed make and model (exemplar device) may be required to be purchased for testing and verification of observed parameters and characteristics.

If the original or a “true duplicate copy” of the original photo cannot be provided, there is an immediate and unavoidable suspicion placed on the authenticity and integrity of the photo.

Tampering and Malicious Editing Assessments

Even if a photograph appears normal, there may be hidden characteristics that can indicate the photo is not original, or even a true duplicate copy of the original. The more information you can provide relating to the provenance (origin and handling history) of the recording, the more we have to work with and the better the chances of a reliable and confident outcome.

The verification of the authenticity and integrity of a digital media file is an important component of multimedia digital forensics. There are many ways in which a photograph or still image can be manipulated, often unintentionally.

With any of these forms of authentication and integrity testing, the more information you can provide relating to the provenance (origin and handling history) of the recording, the more we have to work with and the better the chances of a reliable and confident outcome. The outcome still may not be conclusive as there are often unexplainable characteristics identified which do not necessarily indicate clear evidence of malicious tampering.

Authenticity Assessment

An Authenticity assessment can provide verification of the source recording device, the mode of recording and date and time the recording took place. If any of these “external characteristics” do not correlate with that which is observed in the file being assessed, then there is a strong probability that the recording did not originate from the claimed device or was made at the claimed time.

IF a recording or file being provided as evidence cannot be verified as being recorded by the claimed device at the claimed date and time by the person said to have made the recording, then the possibility of the photo or image having been reprocessed, transcoded, or otherwise edited in some way is greatly increased.

Integrity Assessment

Integrity analysis is the verification of the contents of the recording or image as being a true and reliable representation of the information it contains.

An Integrity assessment looks at the content of the recording to determine whether the photograph is reliably representing the situation it is being relied upon to portray. Any characteristics not expected for the type of format that the claimed device uses such as unusual or varied compression levels, varying light source directions or shadows etc. can identify if the photo has in some way been altered or staged.

Photo and Still Image Authentication and Integrity Analysis Applications

Testing for tampering or malicious editing of a photograph can include:

  • Review of associated statements or chain-of-custody documentation relating to handling and prior history.
  • Analysis of metadata associated with manufacturers Id, encoding format Id. timestamps and device settings.
  • Inspection of encoding used and correlation with the claimed recording device capabilities.
  • Identification of compression algorithm used and any areas of varying compression levels.
  • Inspection and analysis of the continuity of reflections, shadows, perspectives, level of detail, direction and consistency of lighting.
  • Analysis of internal file and external system metadata and timestamp discrepancies associated with the photograph and related thumbnail images.
  • Analysis of background image sensor noise and dropped, missing or fixed value pixels (digital fingerprinting).
  • Comparison of image structure and metadata with other photos claimed to have been taken by the same device or a device of the same make and model.
  • Bit-level  analysis of the data to detect specific instances and types of tampering or modifications to the pixels of the images such as cutting and pasting, copying or duplicating blocks of image data (pixels) to overwrite other areas of the image.
  • Analysis and comparison of the colour space and colour range of the image with the capabilities of the claimed device used.