Contents
When a JPEG is opened, edited, and saved again it is compressed a second time, and that double compression leaves statistical traces even though the file carries no flag announcing it. Compression analysis reads those traces: mismatches in the eight-by-eight block grid, periodic patterns in the histograms of the discrete cosine transform coefficients, and inconsistencies between the quantization tables of the two passes. A region spliced in from elsewhere usually carries a different compression history from the rest of the frame, and that difference is the tell. It is a lead rather than a verdict, because a screenshot, a platform upload, or an innocent crop recompresses an image just as an edit does, and every extra re-save weakens the signal.
Why a second compression leaves a trace
JPEG compression quantizes the image’s DCT coefficients, rounding them to a grid set by a quantization table. Compress once and the coefficients settle onto that grid. Compress again, usually at a different quality and often after the pixels have shifted, and the second quantization interferes with the first, leaving a distinctive fingerprint in the coefficient statistics. There is no header field that records any of this. The detection is entirely post-hoc: an examiner infers a second compression from block-grid mismatch energy, from bimodality or periodicity in the DCT histograms, and from quantization-table inconsistencies between passes. Because the traces live in the image statistics rather than in metadata, they survive a metadata strip, which is what makes them worth reading when the tags are gone.
Aligned and nonaligned double-JPEG
The analysis splits on whether the second compression’s block grid lines up with the first. If a file is opened and saved again without a crop or shift, the grids stay aligned, and the double-quantization effect shows up as a comb-like periodicity in the coefficient histograms. If a crop, a screenshot, a resize, or a paste at an arbitrary position moves the image before the next save, the second grid is offset, and a different statistic is needed. Bianchi and Piva detect this nonaligned case from the “integer periodicity of the blockwise discrete cosine transform,” recovering the hidden grid offset a plain crop leaves behind (IEEE Transactions on Information Forensics and Security 2012). The two cases are separate analyst filters for a reason: a forgery that fools one can be exposed by the other, and the recovered offset itself localizes where the tampering happened.
What it reveals about an edit
The forensic value is comparative. A file that was merely re-saved is doubly compressed everywhere, uniformly, which says nothing about tampering. What flags an edit is a region whose compression history differs from its surroundings. Farid’s JPEG ghost method exposes exactly that, revealing a region first compressed at a lower quality than the rest, so a low-quality patch dropped into a higher-quality photo appears as a faint ghost. He reports untampered images classified with greater than 99 percent accuracy, and detection above 90 percent once the quality gap is larger than 20 and the tampered region larger than 100 by 100 pixels (Farid, IEEE Transactions on Information Forensics and Security 2009), numbers that also state the limit: small regions and small quality gaps are hard. The intrinsic fingerprints of the source coder can be read back out too. Lin, Tjoa, Zhao and Liu build a detector for which encoder and settings produced an image and report that “the probability of detecting the correct source encoder is over 90%” across their test cases (IEEE Transactions on Information Forensics and Security 2009).
Where it breaks: re-saves and anti-forensics
Two things blunt the signal. The first is ordinary handling. Each new compression overwrites the evidence of the earlier ones, so the history is generally recoverable only about a layer back, and a screenshot re-anchors the block grid to a fresh origin, discarding what came before. When Zampoglou, Papadopoulos and Kompatsiaris ran a battery of detectors, several compression-based, against eighty-two real-world web forgeries, they found that “the algorithms we applied failed in the majority of cases” (ICMEW 2015). The second is deliberate. Stamm and Liu built anti-forensic techniques that can “render several forms of image tampering such as double JPEG compression, cut-and-paste image forgery, and image origin falsification undetectable through compression-history-based forensic means,” by smoothing the tell-tale coefficient statistics back toward a single-compression distribution (IEEE Transactions on Information Forensics and Security 2011). Compression analysis assumes an honest file that no one has actively laundered; the manipulation signal that survives when compression tells you nothing is copy-move forgery detection.
A compression clue, weighed with the rest
Double-JPEG analysis is a genuine, mechanism-grounded signal: it can show that part of an image has a different compression past from the whole, and it can sometimes place where. But it is fragile by construction, informative mainly on lightly processed originals, and silent or misleading on the recompressed, screenshotted files that make up most of what circulates. A negative result clears nothing, because the edit may simply not have crossed a quality boundary, and a positive result is one input to weigh, not a conclusion. That is the discipline forensic reporting demands, a finding stated as strength of support rather than a verdict (ENFSI, 2015). Where all of this sits on the reliability scale is in how reliable is photo forensics.
Sources
- Farid, H. (2009). Exposing Digital Forgeries from JPEG Ghosts. IEEE Transactions on Information Forensics and Security 4(1):154-160. DOI: 10.1109/TIFS.2008.2012215
- Bianchi, Piva (2012). Detection of Nonaligned Double JPEG Compression Based on Integer Periodicity Maps. IEEE Transactions on Information Forensics and Security 7(2):842-848. DOI: 10.1109/TIFS.2011.2170836
- Lin, Tjoa, Zhao, Liu (2009). Digital Image Source Coder Forensics Via Intrinsic Fingerprints. IEEE Transactions on Information Forensics and Security 4(3):460-475. DOI: 10.1109/TIFS.2009.2024715
- Stamm, Liu (2011). Anti-Forensics of Digital Image Compression. IEEE Transactions on Information Forensics and Security 6(3):1050-1065. DOI: 10.1109/TIFS.2011.2119314
- Zampoglou, Papadopoulos, Kompatsiaris (2015). Detecting Image Splicing in the Wild (Web). IEEE International Conference on Multimedia & Expo Workshops (ICMEW) 2015. DOI: 10.1109/ICMEW.2015.7169839
- European Network of Forensic Science Institutes (2015). ENFSI Guideline for Evaluative Reporting in Forensic Science (STEOFRAE).