forensics.media Subscribe
Image

Clone / copy-move forgery detection, explained

By The forensics.media team
5 min read
Contents

Copy-move forgery, also called cloning, duplicates a region of a photo and pastes it elsewhere in the same image, to hide an object or repeat one, and detection works by finding two areas that are suspiciously identical. Fridrich, Soukal and Lukáš, who introduced the first practical detector, define the attack as one where “a part of the image is copied and pasted somewhere else in the image” (DFRWS 2003). It earns a dedicated test because the pasted pixels come from the same photo, so they carry its lighting, its sensor noise, and its compression history, and the general tamper checks that catch a foreign paste stay consistent and miss it. A duplicate-region hit is a strong lead, not a verdict.

Why cloning slips past the other checks

Most tamper checks look for a seam between two different photos, and copy-move has no such seam. Noise-inconsistency analysis, for instance, flags a region whose sensor noise does not match the frame, because a patch pasted from another camera carries different noise (Mahdian and Saic, Image and Vision Computing 2009). A cloned patch fails that test in the forger’s favor: it came from the same sensor and the same exposure, so its noise, its color-filter-array correlations, and its compression history all agree with their surroundings. The same holds for camera fingerprinting and lighting checks. Cloning is the one manipulation that keeps every global statistic intact, which is exactly why a separate method, built to spot duplication rather than difference, is the tool that catches it.

Block-based and keypoint-based detection

Two detector families do that job. The block-based approach, introduced by Fridrich, Soukal and Lukáš (DFRWS 2003), slides a window across the image, describes each overlapping block by a compact feature such as its quantized discrete cosine transform coefficients, then sorts those descriptors so near-identical blocks land next to each other and can be matched. A useful result is not one matched pixel pair but a cluster of matched blocks that all agree on the same shift vector, meaning one connected region appears to have been translated from another. That is why analyst tools draw colored clone maps rather than a yes or no. The keypoint-based approach answers the block method’s main weakness: it extracts distinctive interest points with detectors like SIFT or SURF and matches them across the frame, so a duplicated region shows up as a cluster of point-to-point correspondences even after the patch is moved. In an analyst toolkit the two run as complementary filters, one dense but brittle, the other sparse but more tolerant of a turned or scaled patch.

What a forger does to break it

The countermeasures are the obvious geometric ones. Scaling, rotating, or flipping the cloned region breaks the exact-match assumption that block-based detection relies on, and adding a little noise or a fresh round of JPEG compression to the patch blurs the duplicate further. Keypoint matching survives these better, because SIFT and SURF descriptors are built to be stable under scale and rotation, but it thins out on small or low-texture regions that yield few keypoints. The transformation itself, though, leaves a second trace an examiner can pursue independently. As Popescu and Farid put it, “re-sampling (e.g., scaling or rotating) introduces specific statistical correlations” that their method detects in any region of the frame (IEEE Transactions on Signal Processing 2005). So a forger who scales a patch to make it fit may defeat the clone matcher yet trip the resampling detector, which is why these signals are run together rather than singly.

Where false positives come from

Repeated texture is the natural enemy of clone detection. Brick walls, windows, foliage, tiled floors, and fabric can contain genuinely repeated structure, and a detector can read suspicious similarity into texture that was never copied. Compression makes it worse: JPEG quantization pushes different small blocks toward the same values, so a weak threshold lights up false matches, while heavy recompression can destroy the fine differences that separate a real clone from a natural repetition. The analyst’s discipline is to ask whether the clone map makes sense. Do the matched blocks form coherent connected regions? Does the source area plausibly cover an object? Do independent tests, a resampling trace, a lighting inconsistency, a JPEG ghost, point the same way? A clone map on its own is a hunch.

A signal, not a verdict

Modern forgery localizers fold copy-move detection into a single trained network that also localizes splices, and they are more capable than the hand-built matchers without being decisive. TruFor reports an average F1 of 0.696 across its benchmarks and, tellingly, ships a reliability map that marks where its own output should not be trusted (Guillaro et al., CVPR 2023). That is the ceiling: right most of the time on curated data, and open about the regions where it is guessing. On a heavily recompressed image off a social feed, even a clean-looking result mostly means there was too little signal left to read. Copy-move detection answers one narrow question well, has a region of this photo been duplicated inside it, and forensic reporting requires any such finding to be stated as strength of support for one proposition over another, never as proof (ENFSI, 2015). It is one of the named signals an analyst fuses into a finding, the workflow set out in how to detect Photoshop manipulation.

Sources

  • Fridrich, Soukal, Lukáš (2003). Detection of Copy-Move Forgery in Digital Images. Proc. Digital Forensic Research Workshop (DFRWS) 2003.
  • Mahdian, Saic (2009). Using Noise Inconsistencies for Blind Image Forensics. Image and Vision Computing 27(10):1497-1503. DOI: 10.1016/j.imavis.2009.02.001
  • Popescu, Farid (2005). Exposing Digital Forgeries by Detecting Traces of Re-sampling. IEEE Transactions on Signal Processing 53(2):758-767. DOI: 10.1109/TSP.2004.839932
  • Guillaro, Cozzolino, Sud, Dufour, Verdoliva (2023). TruFor: Leveraging All-Round Clues for Trustworthy Image Forgery Detection and Localization. CVPR 2023.
  • European Network of Forensic Science Institutes (2015). ENFSI Guideline for Evaluative Reporting in Forensic Science (STEOFRAE).
#copy-move#clone#tamper#image