Friday, 11 September 2009

Experiment 10 on Analysing a Fake Image under Ubuntu

This experiment which was performed on December 2008 was part of a set of experiments related to the class assignments seeking the similarities of forensic analysis between Ubuntu and Windows XP.

EXIF which stands for Exchangeable Image File Format is the image file format specification with the addition of metadata tags for JPEG, TIFF Rev. 6.0 and RIFF WAV file formats. The specific metadata tags cover data and time information, camera settings, picture thumbnail and description and copyright information.

This EXIF metadata information is important and it is often used to identify the originality of an image. The jpg files can be manipulated by using picture editor applications such as Adobe Photoshop but it can give impact to the Exif metadata which also follows to be changed such as X and Y resolution, time stamps, picture editor software and so on, therefore the technique to recover the Exif information from jpg file is often used by forensics investigators in dealing with the case of fake picture.

For this experiment, there are 2 jpg files to be analysed in order to gain the Exif metadata by using the exiftool command under Ubuntu 8.10. These files are original jpg file and fake jpg file. The fake jpg file was manipulated from the original jpg file.

Under Ubuntu 8.10. The exiftool was run  through command console on the first jpg file, then it gave the EXIF information as follows (i.e. as shown in figure 1).

File Modification Date/Time: 2008 : 02 : 16  08 : 46 : 38
X Resolution: 72
Y Resolution: 72
Resolution Unit: inches
Exif Version: 0210
Thumbnail Offset: 274
Thumbnail Length: 2185
Encoding Process: Baseline DCT, Huffman coding
Image Size: 640 x 480

Figure 1
The exiftool gives the EXIF information such  as File Modification Date/Time, X Resolution, Y Resolution, Exif  Version and so on.

Then this EXIF information will be analysed and compared to the EXIF information of the second jpg file in order to decide the originality of a picture file. From the second jpg file, the exiftool displays the EXIF information as follows (i.e. see figure 2):

File Modification Date/Time: 2008 : 02 : 16  09 : 36 : 46
X Resolution: 524
Y Resolution: 524
Resolution Unit: inches
Software: Adobe Photoshop 7.0
Exif Version: 0210
Thumbnail Offset: 372
Thumbnail Length: 3825
Encoding Process: Baseline DCT, Huffman coding
Image Size: 320 x 238


Figure 2
The exiftool displays the EXIF information of   fake jpg file containing Software, RGB Tone Reproduction Curve and so on

By analysing the EXIF informations of both files above, the forensics investigators can draw a conclusion that the second jpg picture is fake because the EXIF information tells about the software of Adobe Photoshop which was used to manipulate the picture including RGB Tone Reproduction Curve information and so on. There are also differences on File Modification Time, X Resolution, Y Resolution, Thumbnail Offset, Thumbnail Length and Image Size between the original and the fake.

The other way to check the originality of an image is by using pixel analysis. This technique is based on zooming in the image until thousands times in order to seek the arrangement of pixels. If it is normal, the image is original, otherwise it is fake. This technique will be discussed later in next post.

1 comment:

  1. nice post, thanks
    with those 2 images do you think it would be possible to know if they came from the same computer?