forensics.media Subscribe
Overview

What can forensics learn from a photo?

By The forensics.media team
6 min read
Contents

A single photo can reveal the camera model that took it, sometimes the individual sensor, whether a region was pasted in or painted over, and roughly how many times it has been recompressed. None of that is proof. Each read is a probability weighed against an innocent explanation, and each one survives only as long as the faint detail it depends on. This is the photo-specific version of the wider question in what forensics can learn from a file: the still-image traces an examiner actually works through, and how far each holds.

What made the photo

Origin is the first question, and it has a fast weak answer and a slow strong one. The metadata names the camera, the lens, the time and often the GPS coordinates, but every field is editable and the whole block strips on a re-save, so it is a lead to corroborate rather than a fact (can EXIF data be faked?). The far harder trace to fake is the sensor’s own noise. Lukáš, Fridrich and Goljan (2006) tie an image to one physical sensor by its photo-response non-uniformity, the faint fixed pattern every sensor stamps into every frame, treating that reference pattern as a unique per-sensor fingerprint and reporting a false-reject rate under 1 percent at a false-accept rate of one in a thousand on clean files. Chen, Fridrich, Goljan and Lukáš (2008) extended it into an integrity test, and Goljan, Fridrich and Filler (2009) confirmed the low error rates hold across over one million images from 6,896 cameras. The catch is that it needs the candidate camera in hand and decays fast under processing (how accurate is camera fingerprinting).

The color pipeline leaves image-only fingerprints

A photo carries traces no sound recording has, because it was built by a lens and a color pipeline. Most cameras capture one color per pixel behind a color filter array and interpolate the other two, and as Popescu and Farid (2005) put it, that interpolation “introduces specific correlations which are likely to be destroyed when tampering with an image,” correlations their method detects in any region of the frame. The optics leave a second, geometric trace: Johnson and Farid (2006) estimate the lateral chromatic aberration across the image, the tiny wavelength-dependent shift a lens introduces, and flag any region where it stops being consistent with the rest. These are still-image traces by construction, which is why a photo earns its own examination rather than the file-general one.

Whether it has been edited

Two questions hide inside “is it fake”: were the pixels altered, and is a real photo being shown in a false context. For the first, an examiner fuses several weak signals rather than trusting one. Error Level Analysis is a pointer, not a verdict, and its own creator reads it alongside other methods (Krawetz, 2007). The compression tests beside it are stronger than an eyeballed heatmap yet still infer an edit from statistics: Farid’s (2009) JPEG ghost method exposes a region first compressed at a lower quality than the rest, and Bianchi and Piva (2012) detect nonaligned double-JPEG compression from the periodicity of DCT coefficients. The modern learned detectors carry the same caveat. TruFor averages an F1 of 0.696 and ships a reliability map marking where its own output is unsafe (Guillaro et al., 2023), while Noiseprint averaged a Matthews correlation of only 0.403 across nine datasets, its authors cautioning that noiseprints “cannot help for device identification” (Cozzolino and Verdoliva, 2020). Attribution can even be actively spoofed: the SpoC attack injects a chosen camera’s fingerprint into a synthetic image (Cozzolino et al., 2021). The second question, false context, no pixel test can answer at all (how to verify if an image is real).

What has happened to it since

A photo also carries the marks of its own handling. Re-encoding leaves traces of how many times it was compressed and which apps or platforms it passed through, so a forensic read can often tell that an image is not the pristine original it claims to be. The limit is depth: this history is generally recoverable only about one layer back, because the last encoder overwrites the evidence of the earlier ones, and a screenshot re-anchors the JPEG block grid to a fresh origin (does a screenshot remove metadata?). It is good for spotting a laundered file, poor at reconstructing its full life story.

The rule behind every read

One principle decides how much any of this is worth: the traces are fragile, and ordinary handling destroys them. A single mismatched processing pipeline alone can drop the PRNU sensor correlation by about 62 percent (Joshi et al., 2020), and resaving, downscaling and platform re-encoding strip the faint detail the color-pipeline and JPEG methods depend on. A finding earns trust only when it comes from an original file and several independent methods agree, because a forensic result is a strength of support for one proposition over another, never a verdict (ENFSI, 2015). Read that way a photo answers a great deal. Read as a single button that declares it fake, it promises far more than the science delivers. The reliability spokes go deeper at how accurate is camera fingerprinting and how reliable is photo forensics.

Sources

  • Lukáš, Fridrich, Goljan (2006). Digital Camera Identification from Sensor Pattern Noise. IEEE Transactions on Information Forensics and Security 1(2):205-214. DOI: 10.1109/TIFS.2006.873602
  • Chen, Fridrich, Goljan, Lukáš (2008). Determining Image Origin and Integrity Using Sensor Noise. IEEE Transactions on Information Forensics and Security 3(1):74-90. DOI: 10.1109/TIFS.2007.916285
  • Goljan, Fridrich, Filler (2009). Large Scale Test of Sensor Fingerprint Camera Identification. Proc. SPIE 7254, Media Forensics and Security. DOI: 10.1117/12.805701
  • Popescu, Farid (2005). Exposing Digital Forgeries in Color Filter Array Interpolated Images. IEEE Transactions on Signal Processing 53(10):3948-3959. DOI: 10.1109/TSP.2005.855406
  • Johnson, Farid (2006). Exposing Digital Forgeries Through Chromatic Aberration. ACM Workshop on Multimedia and Security (MM&Sec) 2006:48-55. DOI: 10.1145/1161366.1161376
  • Krawetz, N. (2007). A Picture’s Worth: Digital Image Analysis and Forensics. Black Hat USA 2007.
  • Farid, H. (2009). Exposing Digital Forgeries from JPEG Ghosts. IEEE Transactions on Information Forensics and Security 4(1):154-160.
  • Bianchi, Piva (2012). Detection of Nonaligned Double JPEG Compression Based on Integer Periodicity Maps. IEEE Transactions on Information Forensics and Security 7(2):842-848. DOI: 10.1109/TIFS.2011.2170836
  • Cozzolino, Verdoliva (2020). Noiseprint: A CNN-Based Camera Model Fingerprint. IEEE Transactions on Information Forensics and Security 15:144-159. DOI: 10.1109/TIFS.2019.2916364
  • Guillaro, Cozzolino, Sud, Dufour, Verdoliva (2023). TruFor: Leveraging All-Round Clues for Trustworthy Image Forgery Detection and Localization. CVPR 2023.
  • Cozzolino, Thies, Rössler, Nießner, Verdoliva (2021). SpoC: Spoofing Camera Fingerprints. CVPR Workshops 2021. DOI: 10.1109/CVPRW53098.2021.00110
  • Joshi, Korus, Khanna, Memon (2020). Empirical Evaluation of PRNU Fingerprint Variation for Mismatched Imaging Pipelines. IEEE International Workshop on Information Forensics and Security (WIFS) 2020. DOI: 10.1109/WIFS49906.2020.9360911
  • European Network of Forensic Science Institutes (2015). ENFSI Guideline for Evaluative Reporting in Forensic Science (STEOFRAE).
#forensics#image#reliability