forensics.media Subscribe
Image

What is Error Level Analysis (ELA)?

By The Forensics Media team
5 min read
Contents

Error Level Analysis (ELA) is a JPEG forensics technique that resaves an image at a known quality and highlights the regions whose compression error does not match the rest, which can flag an area that was recently edited. It was introduced by Krawetz (Black Hat USA 2007), and the important thing to understand is that it is a lead read by eye, not a verdict with a fixed threshold. Knowing exactly what ELA measures is what keeps you from over-reading it.

What does ELA do, step by step?

The procedure Krawetz set out is mechanical. Take the JPEG you want to examine, resave it at a known, uniform quality, which he puts at “a known error rate, such as 95%,” and subtract that fresh copy from the original. What remains is the difference in compression error between the two versions, rendered as a heatmap: regions with a high remaining error show up bright, and regions that barely changed stay dark. A recently added or painted-over region tends to be brighter than its surroundings, because it still had detail to lose that the rest of the image had already shed. That brightness is the signal ELA exists to surface.

Why do edited regions glow?

The reason lies in how JPEG stores an image. It divides the picture into 8x8 pixel blocks and compresses each one independently, discarding high-frequency detail. Every time you resave a JPEG, each block loses a little more of what it can lose, and after enough resaves a region reaches an error floor where further saving barely changes it. An untouched area has usually passed through the same number of compression cycles across the whole frame, so it settles at a uniform error level. A region that was pasted in or edited later has a different compression history: it has been recompressed fewer times, so it still has more error to give up on the next save, and it glows against the settled background. ELA is, in effect, a map of where an image’s compression history is not uniform.

How do you read an ELA map, and what fools it?

The expected result for an untouched photo is uniform brightness across the frame. What trips people up is that plenty of innocent things are bright too. High-contrast edges, sharp text and saturated colours naturally carry more high-frequency detail, so they light up under ELA whether or not anyone touched them. There is no numeric threshold that separates “edited” from “textured”; an analyst reads the contrast by eye, which is the first reason ELA is a lead rather than proof. Krawetz is direct about this limit: in his own worked examples ELA “only identifies ‘a’ change,” not what caused it, and even after combining it with several other analyses he reports that “the details of the manipulation are inconclusive.” The method shows you where the compression error is uneven. It does not tell you why.

Why isn’t a JPEG quality number comparable across editors?

A natural next question is whether you can simply read off the quality a file was last saved at and compare it. You can estimate the last-save quality from the quantization tables baked into the file, but the numbers are not comparable across programs, because editors use different quality scales. Krawetz found that an image saved at 80 percent through Photoshop’s “Save for Web” carries quantization tables equivalent to 91 percent, so the same file can be labelled two different numbers depending on the tool. A single quality number is therefore a within-file clue, not a cross-file measurement, and treating two editors’ percentages as the same scale is a common error. It is a detail about JPEG mechanics that matters for reading any compression-based method, ELA included.

How does ELA relate to the stronger JPEG methods?

ELA is the eyeball version of a family of more rigorous compression-forensics methods, all of which infer an edit from compression statistics rather than proving one. Farid (IEEE TIFS 2009) formalised the closest relative, JPEG ghost analysis, which exposes a region that was first compressed at a lower quality than the rest of the image; Farid is candid that low quality images “often destroy any statistical artifacts that could be used to detect tampering.” Lukáš and Fridrich (DFRWS 2003) estimate the primary quantization matrix of a doubly compressed JPEG, and Bianchi and Piva (IEEE TIFS 2012) detect nonaligned double-JPEG compression from the integer periodicity of its DCT coefficients. Each is more defensible than an eyeballed heatmap, and each still needs the right compression mismatch to survive. For when ELA is actually reliable, when a bright map means nothing, and where it fails outright, see is Error Level Analysis reliable?.

What ELA gives you, then, is a fast and intuitive picture of where a JPEG’s compression history is uneven, which is a genuine clue and a poor verdict. It reads by eye, it has no threshold, and it shares its blind spots with every other method that depends on a compression difference still being present in the file. That is why an ELA map earns its place as an opening question, and why detecting deliberate manipulation never rests on it alone.

Sources

  • Krawetz, N. (2007). A Picture’s Worth: Digital Image Analysis and Forensics. Black Hat USA 2007.
  • Farid, H. (2009). Exposing Digital Forgeries from JPEG Ghosts. IEEE Transactions on Information Forensics and Security 4(1):154-160. DOI: 10.1109/TIFS.2008.2012215
  • Lukáš, Fridrich (2003). Estimation of Primary Quantization Matrix in Double Compressed JPEG Images. Digital Forensic Research Workshop (DFRWS) 2003.
  • Bianchi, Piva (2012). Detection of Nonaligned Double JPEG Compression Based on Integer Periodicity Maps. IEEE Transactions on Information Forensics and Security 7(2), April 2012. DOI: 10.1109/TIFS.2011.2170836
#ela#jpeg#tamper#image