CASE EXAMPLES
Intelligence and Counterterrorism
Situation
During a terrorist attack to a country’s embassy, one staff member is severely injured and kidnapped. A few weeks later an email is sent to the embassy claiming that a terrorist group is responsible for the attack and says the staff member is still alive and imprisoned. They attach a bitmap (.bmp) picture showing the person holding a newspaper dated the same day of the email. It is crucial to authenticate the attached image to evaluate chances that the staff member is currently alive.
Workflow
The image is scrutinized with Amped Authenticate. As expected, the bitmap picture does not have metadata providing indications about the camera model, acquisition date and place, etc.: conversion to bitmap is indeed in a frequently employed redaction method. However, filters in the Global Analysis category reveal that the image has traces of two previous JPEG compressions. These facts provide strong confidence against the integrity of the image, since camera original images are rarely in bitmap format, and do not show traces of double compression. Global Analysis also shows that the image contains the “JPEG Dimples” artifact (an imperceptible defect introduced throughout the image by many camera models). The JPEG Dimples Map filter is thus used to conduct a fine-grained forgery localization analysis, which reveals that the artifact is consistently present everywhere, including in the subject’s body, but it is missing in the region containing the newspaper. The Correlation Map also reveals strong local correlation in the newspaper region, which is possibly a consequence of scaling/rotation applied to the newspaper to fit into the subject’s hands.
Conclusion
The image is marked as non-authentic, but still conveys important information. Indeed, traces of modifications were found on the newspaper, while the region depicting the subject seems to be authentic, as supported by local presence of the JPEG Dimples artifact. This fact may suggest that the staff member was indeed kidnapped by the group and photographed by them but is no longer alive.
CSE Material
Situation
Following a search in the home of a suspect, police seize several memory drives containing child abuse images, together with two smartphones, one compact camera and one reflex camera. When the seized computer is investigated, it is revealed that the suspect regularly browses and downloads illicit child related content. It is of interest to the prosecutor to understand whether the suspect also produced some of the illicit material, besides downloading it.
Workflow
In less than an hour, sample images are taken with the seized smartphones and cameras, and Amped Authenticate generates a Camera Reference Pattern (CRP) for each device. Before investigating the illicit images, the user disables Authenticate’s caching system, so that evidence images are not stored into their analysis workstation cache folder. All the evidence images are then tested against the available CRPs to search for possible matches, revealing that several images have a strong compatibility with the reflex camera. Thankfully, there is no need to watch the content of images, since computation of the matching score is done by Authenticate in batch without even showing the images to the user.
Conclusion
The prosecutor is now able to charge the suspect with creation of child abuse material, making his case stronger.
BATCH DOCUMENT EXAMINATION
Situation
The inspector of a government agency has to monitor hundreds of submitted ID document pictures per day, so as to prevent forged pictures from being accepted. Manual examination of each file rapidly becomes unfeasible, while checking a few selected cases would be acceptable.
Workflow
Authenticate's Smart Report is used to make a fast, fully automatic screening of images. After that, the inspector only has to review the results table: images that were marked as being "likely camera original" are accepted, while those signaled as potentially manipulated are selected for deeper inspection. For these images, the inspector uses Batch Processing to run more filters in the background and dedicates his time to other tasks, then comes back once all results are ready to be reviewed.
Conclusion
Some of the examined cases turn out to be false positives, while some others reveal evident traces of manipulation. The users who submitted manipulated images are identified and prosecuted, thus inherently reducing the future number of submitted fake documents as a side effect.
JOURNALISM/PROPAGANDA
Situation
The editorial staff of a newspaper receives from an anonymous source, a compromising picture of an important political figure. If published, the image would have dramatic consequences. However, the newspaper would face serious consequences if the image proves to be a hoax.
Workflow
The image is first scrutinized using File Format, and no warning appears. Searching the image on the web does not reveal any picture of similar content already published. Since information about camera make and model are available in the Exif metadata, Authenticate is able to find and download from the web, hundreds of images captured by the same camera model. After a batch file format comparison, every detail of the investigated image seems well compatible with reference material, including JPEG Quantization Tables, which are also confirmed to match the declared camera model by Authenticate’s database. Filters in the Global Analysis category do not show any trace of recompression or resampling. JPEG Dimples are present, as expected for that specific camera model. Filters in the Local Analysis category do not reveal any suspicious region. Moreover, the JPEG Dimples Map filter detects presence of JPEG Dimples throughout the image, suggesting that no region has been tampered with.
Conclusion
Before the end of the day, the editorial team decides to publish the image. The decision remains courageous, but thanks to Amped Authenticate it is not a blind decision.
Car Insurance Fraud
Situation
Every week, an insurance company receives thousands of damaged car images from its affiliated insurance experts spread around the territory. The company suspects that some of the experts are teaming up with customers to send fake images to the company, so they can ask for refunds.
Workflow
Due to the massive amount of data, analyzing one image at a time would take too long. The company decides to use Amped Authenticate’s Smart Report tool, which scans all images in batch and separates images whose metadata and coding properties are compatible with native camera images from those images with problematic metadata and/or possible traces of local forgeries. The number of images to be investigated is now reduced by a factor of 95%, making single-image investigation feasible. Some of the images indeed contain traces of splicing; in particular, in several cases, damaged parts of the car are copied, scaled, rotated and pasted again into the same image to increase the extent of the damage. Some of the examined cases turn out to be false positives, while some others reveal evident traces of manipulation. The users who submitted manipulated images are identified and prosecuted, thus inherently reducing the future number of submitted fake documents as a side effect.
Conclusion
The company is able to sue the affiliated expert for fraud, and ask for the funds to be returned.