When can a photo be trusted?

Fourandsix on TwitterFollow @Fourand6
« Forensic Analysis of Digital Audio: Echoes May Reveal An Edit | Main | FourMatch: A 15-year journey »

FourMatch in an Image Authentication Workflow

We’ve repeatedly emphasized that FourMatch represents only one technique in a larger image authentication and forensics workflow, but the discussions we’ve had with customers have made it clear that there’s value in going into more detail into exactly what FourMatch is good for, what it’s not good for, and how it fits into this larger workflow.

The biggest strength of FourMatch is its ability to provide compelling evidence that an image file has not been modified since it was first captured. However, FourMatch is not designed to tell you whether an image is untruthful. It merely tells you whether the photo remains in the pristine state it would be in coming direct from the camera. That means that many files that fail the FourMatch test may still be truthful images. Perhaps someone just cropped the image without altering the remaining photo content. Or perhaps someone just re-saved the photo using a higher degree of JPEG compression in order to make the file smaller to upload to the Internet. Both of these changes would cause the resulting file to fail the FourMatch test, even though the actual content of the file is still reliable.

Considering this relatively severe restriction on what can get a green light in FourMatch, what makes FourMatch so valuable within an image forensics workflow? Well, the use of FourMatch can really be approached in two different ways: as a standalone image authentication measure when you need to determine whether a photo can be trusted, or as a triage step when you’re deciding how closely an image needs to be examined.

Let’s start with considering FourMatch as a standalone authentication measure. Particularly within a legal setting, there are many times when people may need assurance that an image can be trusted, particularly given the ease with which images can be manipulated with modern software. One way you can provide that assurance is with effective chain of evidence procedures that allow you to document exactly what has happened with an image from the time it was captured until the time it is being presented to the viewer. In addition, camera manufacturers like Canon and Nikon offer “data verification kits” for some of their cameras that rely on storing a special key in the image file at the time of capture, and then verifying that same key can be regenerated from later copies of the file down the line. (Proving that nothing is “unhackable,” a hack for these data verification kits was revealed a few years ago, but in most cases that still doesn’t eliminate their value in providing evidence that an image is unaltered.)

What these other methods have in common, however, is that they require foresight and planning.  If you recover a photo from a suspect’s computer, you can certainly maintain a chain of evidence from the time you seized the computer, but there’s no way to tell what happened to the file before that time. Likewise, it’s a safe bet that the suspect would not have taken any photos with one of the few cameras that support the data verification kit and also have chosen to store the special key in the files.

With FourMatch, however, you have the potential to authenticate any image, regardless of how sloppy the user’s file management may have been. It is true that some truthful files will slip by without being authenticated by FourMatch, but it is also true that sometimes you may need only one verifiable file to make your case. FourMatch provides a means of establishing trust in a file that otherwise might be too easily questioned. Moreover, FourMatch can also supplement effective chain of evidence procedures, by providing an additional piece of evidence to reassure a jury.

Sometimes, though, you’re less concerned with validating just one specific photo, and more concerned with dealing with volumes of images and deciding where to spend your energy. This is where FourMatch as a triage tool becomes important. It’s also where FourMatch becomes more relevant outside the legal realm. Let’s say that you’re an insurance company accepting hundreds of photos documenting insurance claims every day, or perhaps you’re a news organization accepting photos from citizen journalists. You know that there is the risk that some of these photos could be faked, but you can’t quite justify spending significant time scrutinizing each one of them for signs of tampering. In this scenario, FourMatch can help you to quickly eliminate a portion of your files from suspicion, so that you can spend your limited time where it’s needed most.

Because FourMatch provides a verdict in just a few seconds without the need to click any buttons, you can analyze a large volume of images in a short amount of time. If a file gets the green light in FourMatch, then you can be confident that file remains in a pristine state, and doesn’t require further scrutiny. Depending on your needs, you may also be able to eliminate a certain portion of the “failing” images from scrutiny, based on the insights provided in the Details section of the FourMatch panel.

When you’re finished with your triage process in FourMatch, you’ll find that you’ve significantly narrowed your workload and focused your efforts on just those images that need further scrutiny. If you haven’t implemented any submission controls for people submitting photos—i.e. you don’t explicitly require them to submit unaltered originals from their camera—then, even after this triage step, you might still have a large number of images to analyze further. Though some files will be unaltered camera originals, it won’t be uncommon for some people to resave their images or otherwise alter the signature. If, however, you’re willing to implement some submission requirements, then you should find that only a very small percentage of images fail the FourMatch test. You now know exactly how to focus your efforts, by performing initial analyses on these few files, and probably also by contacting the submitters to remind them that they must submit their camera original.

As with any new product, we expect that customers may find uses for FourMatch that even we didn’t initially envision. At a high level, though, it’s clear that FourMatch offers value as a means of establishing trust in photos in a legal setting, and as a quick and effective triage step that helps you to know which photos require deeper scrutiny.

PrintView Printer Friendly Version

Reader Comments (1)

I am curious,

Can this be applied just as easily to digital film? As a series of images if you, but not necessarily in jpeg format?

[FourMatch analysis is limited to JPEG files, because the analysis itself is based specifically on some of the unique characteristics of the JPEG format. - Kevin]

October 9, 2012 | Unregistered CommenterGam

PostPost a New Comment

Enter your information below to add a new comment.
Author Email (optional):
Author URL (optional):
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>