Researcher offers new method for analyzing pictures, videos

Published 3 August 2007

New error-level analytical techniques allows for detecting authenticity of pictures and videos — for example, those released by al Qaeda; retouched and added images may indicate coded messages to operatives

Andrei Gromyko, the long-service foreign minister of the Soviet Union (1957-85) was not exactly known as a barrel of laughs. Henry Kissinger writes in his memoirs, though, that the dour and austere Gromyko was not without a sense of humor — even gallows humor at times. On one of his visits to the USSR, Kissinger noted that a high-level Soviet foreign ministry official, who had always been prominently present during U.S.-Soviet meetings, was nowehere to be seen. Kissinger turned to Gromyko to inquire about the missing official, and Gromyko replied: “Here in the Soviet Union it is a little bit like the Bermuda Triangle: Every once in a while one of us diasappears.” In fact, purges and disappearances were a staple of Soviet leadership struggles and changes, and they created a big problem for the powers that be: Yesterday’s leaders became today’s disgraced traitors, only to be rehabilitated tomorrow and reinstalled, at times posthumously, to their previous position in the communist pantheon. The Soviet publishing industry and newspapers constantly had to update photographs of the Soviet leadership to make sure that disgraced former leaders would be removed from leadership group pictures, and that the pictures of those who had in the meantime been rehabilitated would be reinserted. Anyone interested in Soviet history can see these manipulations by comparing, side by side, the same picture — say, of Stalin viewing the 1939 May Day parade at Red Square — in different editions of official Soviet encyclopedia: From one edition to the other, the people standing on the Kremlin’s balcony next to Stalin change.

According to Neal Krawetz, a researcher and computer security consultant, it is much easier to detect such photographic manipulations today. Krawetz offered an interesting presentation the other day at the BlackHat security conference in Las Vegas about analyzing digital photographs and video images for alterations and enhancements. Using a program he wrote, and which was provided on the conference CD-ROM, Krawetz could print out the quantization tables in a JPEG file (which indicate how the image was compressed) and determine the last tool that created the image — that is, the make and model of the camera if the image is original or the version of Photoshop that was used to alter and re-save the image.

Why is all this important? Because by comparing that data to the metadata embedded in the image he could determine if the photo was original or had been re-saved or altered. Then, using error level analysis of an image he could determine what were the last parts of an image that were added or modified. Error level analysis involves re-saving an image at a known error rate (say, 90 percent), then subtracting the re-saved image from the original image to see every pixel that changed and the degree to which it changed. The modified versions will indicate a different error level than the original image. Among the examples Krawetz used to demonstrate his new technique were images of al Qaeda: Krawetz took an image from a 2006 al Qaeda video of Ayman al-Zawahiri, a senior member of the terrorist organization. The image shows al-Zawahiri sitting in front of a desk and banner with writing on it. After conducting his error analysis Krawetz was able to determine that al-Zawahiri’s image was superimposed in front of the background — and was most likely videotaped in front of a black sheet. Krawetz was also able to determine that the writing on the banner behind al-Zawahiri’s head was added to the image afterward.

Even more interesting is the analysis he conducted on another 2006 video image of Azzam al-Amriki showing him in a white room with a desk, computer, and some books in the background. Error level analysis shows that the books in the lower right-hand corner of the image have a different error level than the items in the rest of the image, suggesting they were added later. In fact the books register the same error level as the subtitles and As-Sahab logo. Further analysis also shows that the books have a different color range than the rest of the image, indicating that they came from an alternate source. Krawetz was not able to determine what the books were but says if they were religious books, they might have simply been added to lend authority and reverence to the video. It is also possible, he says, that such details could be added to a picture to send a message in code to al Qaeda operatives.

If you are interested in Krawetz’s program, you may view the source code here. You may also view his BlackHat presentation here (PDF).