Neal Krawetz, a researcher and computer security consultant, gave an interesting presentation today at the BlackHat security conference in Las Vegas about analyzing digital photographs and video images for alterations and enhancements.Using a program he wrote (and provided on the conference CD-ROM) Krawetz could print out the quantization tables in a JPEG file (that indicate how the image was compressed) and determine the last tool that created the image -- that is, the make and model of the camera if the image is original or the version of Photoshop that was used to alter and re-save the image.
Comparing that data to the metadata embedded in the image he could determine if the photo was original or had been re-saved or altered. Then, using error level analysis of an image he could determine what were the last parts of an image that were added or modified.
Error level analysis involves re-saving an image at a known error rate (90%, for example), then subtracting the re-saved image from the original image to see every pixel that changed and the degree to which it changed. The modified versions will indicate a different error level than the original image.
You can see the difference in the two pictures (right) of a bookshelf. Krawetz added some books and a toy dinosaur to the original image -- both of which show up clearly in the second picture after he's completed the error level analysis.
But more interesting were the examples Krawetz gave of al Qaeda images. Krawetz took an image from a 2006 al Qaeda video of Ayman al-Zawahiri (above right), a senior member of the terrorist organization. The image shows al-Zawahiri sitting in front of a desk and banner with writing on it. But after conducting his error analysis Krawetz was able to determine that al-Zawahiri's image was superimposed in front of the background -- and was most likely videotaped in front of a black sheet.
Krawetz was also able to determine that the writing on the banner behind al-Zawahiri's head was added to the image afterward. In the second picture above showing the results of the error level analysis, the light clusters on the image indicate areas of the image that were added or changed. The subtitles and logos in the upper right and lower left corners (IntelCenter is an organization that monitors terrorist activity and As-Sahab is the video production branch of al Qaeda) were all added at the same time, while the banner writing was added at a different time, likely around the same time that al-Zawahiri was added, Krawetz says.
Even more interesting is the analysis he conducted on another 2006 video image of Azzam al-Amriki showing him in a white room with a desk, computer and some books in the background. Error level analysis shows that the books in the lower right-hand corner of the image have a different error level than the items in the rest of the image, suggesting they were added later. In fact the books register the same error level as the subtitles and As-Sahab logo.
Further analysis also shows that the books have a different color range than the rest of the image, indicating that they came from an alternate source. Krawetz wasn't able to determine what the books were but says if they were religious books, they might have simply been added to lend authority and reverence to the video. It's also possible, he says, that such details could be added to a picture to send a message in code to al Qaeda operatives.