Archive for the 'Forensics software' Category

Interview Discussing Digital Forensics Tools Used by Federal Agencies and Bounty Fishing

He’s the world’s foremost digital forensics specialist, working occasionally with the FBI on everything from fraud to child pornography. We asked Hany Farid, the mind behind the top digital forensic software also used on this site, a few questions about his life and work in this new and important field. Read his take on digital forgeries and some of the challenges he has faced throughout his unique and fascinating career.

Digital Fish

BF (Bounty Fishing): How did you first get involved with digital forensics?

HF (Hany Farid): I stumbled upon a clause in the Federal Rules of Evidence that stated that traditional 35mm film and digital images were, in the eyes of the law, equivalent when it comes to the introduction of photographic evidence in a court of law. This was ten years ago, and even then I thought “this is crazy”, and “this is going to be a problem pretty soon”. I spent about three years thinking about how to approach the problem of authenticating digital media. And about seven years ago, I had my first insight. Ever since, I have been developing mathematical and computational tools to detect tampering in digital audio, image, and video.

BF: Are there some forgeries that you can’t catch?

HF: Yes. In fact, I can create forgeries that our software can’t detect. But, it is difficult and time-consuming. And, as we develop more tools to detect different forms of tampering, it will becoming increasingly more difficult and time-consuming to create a convincing fake.

BF: Where do you see this all going? Are you getting better at catching forgers, or are they getting better at getting away with it?

HF: Both. The forger/forensics game is similar to the spam/anti-spam and virus/anti-virus. Both sides get smarter and more sophisticated. In the end, the forensics side has the harder job – it is always easier to create a fake than it is to detect it.

BF: Are forgers only using Photoshop? Or does specific forgery software exist?

HF: Adobe Photoshop is by far the most common photo-editing software used to manipulate photos. Because of this, Adobe is concerned about the impact of their software – they in fact fund some of the digital forensics research in my lab.

BF: What is the difference between your software and that used by federal agencies?

HF: Our software is the software used by some federal agencies. In fact, I just returned from the FBI forensics in Quantico, VA, where I was demonstrating the latest version of our forensic software.

BF: What it was like working on the child pornography case you mentioned in the New York Times article?

HF: Incredibly disturbing and incredibly important. The issue here is that the United States Supreme Court held that virtual or computer-generated child porn images are protected under the first amendment. As a result, a defendant can claim that the images that he/she possesses are virtual and hence protected. Then, prosecution has to prove that they are real. I have worked on several cases where the Court has asked for my opinion as to whether images are real or computer-generated. I don’t like looking at these images (they give me nightmares), but I think it is important for the Courts to hear a sound technical opinion in order to arrive at a reasonable legal conclusion.

BF: At the end of the day, a digital image is just 1s and 0s, right? How much are you looking for visual clues, and how much is an analysis of the file’s source data?

HF: We have many different forensic tools. Some looking for lighting or shadow inconsistencies, while others directly analyze the underlying pixel values. There are many ways to tamper with an image, so we need lots of different ways of analyzing images. Each case that I work on is different, and in each case I need to draw on a different approach, and sometimes create entirely new tools.

BF: Do you hire or work with successful forgers?

HF: I am a successful forger.

BF: Your services have been called upon for a wide range of situations. What was it that made Bounty Fishing a particularly good project?

HF: In some ways Bounty Fishing epitomizes the future. Here is a business model that critically depends on the ability to authenticate digital images. As we become a more digital and wired world, I am sure that we will see an increase in the number of businesses that are going to need to authenticate digital media. So, I was excited to see our forensic software be employed by Bounty Fishing.

BF: What’s the strangest case you have ever dealt with?

HF: I can’t say, but it was very strange.

BF: Are low quality photos easier to forge?

HF: Generally yes because reducing the size of an image and adding noise obscures traces of tampering – this is almost certainly why virtually all of the UFO/ghost/Loch Ness monster images are small, grainy and out of focus.

BF: Is this picture real?

Warped Face

HF: I sure hope not.

Photoshop and fishing don’t go hand in hand

How to Spot a Photoshopped Image

BountyFishing works like so:

  • Participants go fishing and photograph what they catch
  • Participants then submit these photos to the BountyFishing website
  • BountyFishing awards cash and prizes for the longest validated catch

The biggest hurdle we faced was how we were going to validate and authenticate the fish photos our users submitted. Photos altered with Photoshop can be incredibly convincing. With a few simple clicks of the “Quick Selection Tool” the fish shown below (top left) was selected, dropped into a separate layer, and stretched to add more than an inch to its length. With a little more work to move the shadow and soften any rough edges, the resulting image (top right) shows no signs of tampering.

Unaltered image
Fish measurement

Photoshopped image
Fish Measurement Photoshopped

The solution we found was to use a piece of software developed by Hany Farid, a professor at Dartmouth College who is renowned in digital forensics. When the fish was stretched, Photoshop filled in the missing pixels by interpolating their values from the original recorded pixels. These regularly spaced new pixels are a specific combination of their surrounding pixels. Such regularities rarely occur in natural images, so their presence can be used as evidence of tampering.

Shown below is the output of the BountyFishing software that detects these correlations – the red-coded regions corresponds to the doctored portion of the image.

greenfish.jpg

This software is used by federal law enforcement agencies and can detect various forms of tampering.
We have exclusive rights to the software for measuring fish, but if you really feel like getting your hands dirty with digital forensics Hany Farid’s website has an interface to MatLab for manipulating and analyzing digital images. In addition to the software above, a few other dead giveaways that a photo has been altered are:

  • Excessive cloning – repetition of a particular piece of the photo, often used to stretch or morph images.
  • Inconsistencies in lighting and noise. The easiest way to spot altered lighting is to increase the contrast of a photo so all the differences in lighting are exaggerated.
  • Look for shadows that don’t match up what’s casting them.
  • Optical aberrations, including patterns that aren’t seamless or appear to be inconsistent (or artificially consistent) with the surrounding area.
  • Using human anatomy and other reference points BountyFishing verifies the authenticity of the ruler’s length.

We’ve got a flash demo of how we authenticate photos that gives a little bit more information about how this all works.