By: Pierluigi Paganini from Infosec Institute
Error Level Analysis is a forensic method to identify portions of an image with a different level of compression. The technique could be used to determine if a picture has been digitally modified. To better understand the techniques, it’s necessary to deepen the JPEG compression technique.
JPEG (Joint Photographic Experts Group) is a method of lossy compression for digital images. It’s a data encoding algorithm that compresses data by discarding (losing) some of it. The level of compression could be chosen as a reasonable compromise between picture size and image quality. A JPEG compression scale is usually 10:1.
The JPEG algorithm works on image grids, compressed independently, having a size of 8×8 pixels. The 8X8 dimension was chosen after numerous experiments with other sizes, any matrices of sizes greater than 8 X 8 are harder to be mathematically manipulated or not supported by hardware, meanwhile any matrices of sizes less than 8 X 8 don’t have enough information. They result in poor quality compressed images.
For images not digitally modified, all 8×8 grids should have a similar error level, resaving the picture. Each square should degrade at approximately the same rate, due to the introduction of an homogeneous amount of errors across the entire image. In a modified image, the altered grid should be at a higher error potential in respect to remaining part of the image.
Image manipulation and analysis
In August 2007, Dr. Neal Krawetz made an interesting presentation during the Black Hat conference titled “A Picture’s Worth.” It involved determing if a picture is real, or of a computer modification. Error Level Analysis (ELA) is one of the simpler methods presented by the researcher. In 2010, Pete Ringwood created the “errorlevelanalysis.com” website as a free service where people could submit photos and web pictures for analysis. The site was later closed. Hacker Factor has recreated the service “fotoforensics.com.” It’s free and allows any user to perform ELA analysis on their own photos.
The methods to analyze the images presented by Krawetz are:
- Observation
- Basic image enhancements
- Image format analysis
- Advanced image analysis
ELA Error Level Analysis is a very useful method to detect the manipulation of images belonging to an advanced image analysis. ELA works by re-saving the image at 95% compression, and evaluating the difference with the original. Modified areas are easily seen due their characteristic aspects in the ELA representation.
The main methods used for the picture analysis are based on the following clues:
- Shadows– Analyze the shadows related to different objects in the picture, evaluating them in relation to the direction of the light source.
- Eyes– Zoom in and compare against other eyes. (Dots/colors give light direction)
- EXIF– Evaluating of EXIF file dat,a including GPS position, time and RBG color profile changes.
- Reflections– Analyze that the reflection within the image is coherent.
Principal free tools are:
| Tool | Description | URL |
| FotoForensics | Photo ELA Error Level Analysis Image Tool | http://fotoforensics.com/ |
| Jeffrey’s Exif Viewer | Online EXIF data and GPS viewer analyzer | http://regex.info/exif.cgi |
| JPEGsnoop | Fake image detection via image signature analysis | http://sourceforge.net/projects/jpegsnoop/ |
| IEXIF 2 | Iexif is a professional Exif viewer in Windows | http://opanda.com/en/iexif/ |
Image compression – the mapper
Every computer image is composed of pixels made of three colors: red, green, and blue (RGB). The color value of a pixel is represented with a byte (0-255). The mapper (aka decoder) modifies the RGB color space to YCbCr color space, Y is the luminescence, Cb and Cr are the chrominance-blue and chrominance-red color portions. In YCbCr color space, most of the image data is available in Y component, Cb and Cr have color information.
Figure – YCbCr representation
The mapper splits the images into a sub-image grid of 8X8, while JPEG always encodes luminance with an 8×8 grid. The chrominance may be encoded using 8×8, 8×16, 16×8, or 16×16. For display, the JPEG mapper converts the image from YCbCr to RGB.
The principle behind ELA
Error Level Analysis evaluates the quality level for grids squared within the images. They present an increased degree of error during successive resave operations. The phenomenon is obvious if images aren’t optimized for a specified camera quality level. Subsequent resaves reduce the error level potential, producing a darker ELA. After a number of resaves, the grid square reaches its minimum error level.
The Image Error Level Analyzer
The Image Error Level Analyzer in an online tool that implements an ELA algorithm. By using it, it’s possible to rapidly discover image manipulation. The web tool is based on the Python Image Library and the libjpeg library (v6.2.0-822.2). The verification process consists of successive resaves of the image at a predefined quality. The resulting picture is compared with the original one.
If an image hasn’t been manipulated, all its parts have been saved the same number of times, images are composed by a portion of other sources, or have been simply been manipulated, will show different level of errors visible in the ELA representation with different colors.
The authors of the website also developed a Firefox plugin that enables users to analyze an image by simply right-clicking on any image on the internet.
With the ELA method, it’s possible to discover image modification by establishing a chronological order of changes of various parts of the image. The lighter parts have been edited most recently, the most opaque have been saved several times.
Although it accepts images of limited sizes, it also allows the submission of images up to 1224 pixels per side.
The test
The first step is the generation of an ELA image. Upload an image on http://fotoforensics.com, or simply provide its URL.
Figure – ELA web tool
After pressing the “Process” button, users are redirected to a page containing the original image and the ELA. Let’s start with the original image:
Figure – Original Image
Then modify it by introducing a stack of coins and changing the aspect of the toad:
Figure – Altered image
At this point, let’s submit the picture to the online service to generate the following ELA representation.
Figure – ELA image
The sections that are black correspond to the parts that usually aren’t manipulated. Solid white blocks usually represent the same. Solid colors present a good level of compression with minimal error levels, displayed as darker areas in the image. ELA highlights the altered portions of the image that represent higher ELA values, and a bright white color. Note that in the outline of objects in high frequency areas, they usually have higher ELA values than the rest of the image. In the following image, the text of the books stands out because the contrast creates a high frequency edge.
“In general, you should compare edges with edges and surfaces with surfaces. If all surfaces except one have similar ELA values, then the outlier should be suspect.”
| Image | ELA |
 |
 |
Another interesting example is provided by the Hacker Factor Blog (http://www.hackerfactor.com), this time an an allegedly winning lottery ticket is under analysis.
ELA shows that the image has been modified, the digit “4” has been inserted in the “04” and “46”, and both “23” values were altered.
| Image | ELA |
 |
 |
The tool could provide false-negative results when different portions of the image have been resaved the same number of times. In this case, all the areas present same degree of error.
There are some limitations to consider when conducting an ELA analysis. The technique operates on JPEG images based on a grid, changes to a portion of a grid to affect the entire grid square. That makes it impossible to identify the pixel modified. ELA can’t detect single pixel modification or minor color adjustment.
Scaling and recoloring the picture impacts the entire image, introducing a greater error level potential.
Another element of noise for ELA is represented by the presence of high contrast colors within the same grid, for example black and white colors, which generate high ELA values. This anomaly is attributable to the fact that JPEG uses the YUV color space representation.
Thanks to ELA analysis, it’s possible to discover if the image was the result of a conversion from another format. For example, if a non-JPEG image contains visible grid lines (1-pixel wide in 8×8 squares), it means the picture was originally a JPEG that was later converted to a non-JPEG format.
Another interesting case in ELA literature is that in an image converted from the PNG format to JPEG, ELA analysis produces very high levels of error in edges and textures. That appears as a prevalence of dark or black coloring. A conversion from JPEG to PNG is lossless, and will retain JPEG artifacts.
The rainbowing technique
Rainbowing indicates the visible separation between the luminance and chrominance channels, as blue,purple and red.
Rainbowing evaluation is possible because JPEG separates colors into luminance and chrominance channels. The luminance is the gray-scale intensity of the image, while the chrominance-red and chrominance-blue components identify the amount of coloring, independent of the full color’s intensity.
Picture modification with commercial tools such as Photoshop or Gimp can introduce distinct rainbowing pattern surfaces that have near-uniform coloring. High-quality camera photos may also include a rainbowing effect along uniformly colored surfaces.
Photoshop and other Adobe products introduce a large amount of rainbowing, different from other tools such as Microsoft Paint, that don’t do so.
Beware that the presence of rainbowing may only mean that an Adobe product, like Photoshop or Lightroom, was used to save the image. It may not represent proof of intentional image alteration.
A controversial case
During the last World Photo Awards, World Press Photo said that Paul Hansen’s photo of mourners in Gaza was “retouched with respect to both global and local color and tone,” despite that there was no evidence of manipulation. Experts using ELA analysis were able to demonstrate a meaningful rainbowing effect (faint red and blue patches) and the presence of a higher ELA value on edges and textures were probably caused by Photoshop’s unintentional auto-sharpening.
Figure – Original image
Figure – ELA
The rainbowing effect is clearly visible in various portions of the image, such as the sky, walls, and people. Another source of information is the metadata. Analyzing that makes it possible to evaluate the congruence of the light of the image.
In this specific case, the photo was taken in the morning in November in the northern hemisphere, when the sun should be low on the horizon. The strong shadows on the left building allowed an expert to draw lines that intersect in the general direction of the sun. The sun wasn’t quite low, but maybe the reported time was wrong, and the lighting on the people doesn’t match the sun’s position.
“The people should have dark shadows on their right sides (the left side of the photo), but their facial lighting does not match the available lighting.”
According to the experts who analyzed the photo, it’s likely that the photographer took a series of photos and combined a few pictures, altering some aspects of the image.
Conclusion
Despite that proper application can allow experts to easily discover image modification (including scaling, cropping and resave operations), ELA analysis depends on the quality of the image. Working on a picture resulting from numerous resave operations isn’t effective. If an image is resaved numerous times, then it may have a minimum error level, where more resaves don’t alter the image. ELA will return a black image, and no modifications may be detected.
The technique is very effective at discovering alterations introduced with tools like Photoshop or Gimp. By just saving a picture with these applications, users introduce a higher error level potential in the image.
The downside is that these tools could be the cause of unintentional modification. Considered in the analysis of any picture that ELA is just an algorithm to analyze the images. Despite that it’s very efficient under specific conditions, it’s suggested to integrate it with other forensics tools to provide valid results.
References
http://en.wikipedia.org/wiki/Joint_Photographic_Experts_Group
http://nboddula.blogspot.it/2013/05/image-compression-how-jpeg-works.html
http://www.hackerfactor.com/blog/index.php
http://www.hackerfactor.com/papers/bh-usa-07-krawetz-wp.pdf
http://techtalk.n3tlab.com/2012/04/photo-ela-error-level-analysis.html
https://sites.google.com/site/elsamuko/forensics/ela
http://www.errorlevelanalysis.com/
Author
Latest Articles
Blog2022.04.07Detecting Fake Images via Noise Analysis | Forensics Tutorial [FREE COURSE CONTENT]
Blog2022.03.02Windows File System | Windows Forensics Tutorial [FREE COURSE CONTENT]
Blog2021.08.17PowerShell in forensics - suitable cases [FREE COURSE CONTENT]
Open2021.05.20Photographic Evidence and Photographic Evidence Tampering
New Edition
