Return to Digital Photography Articles

JPEGsnoop - Identifying Edited Photos

Details regarding the use of JPEGsnoop to detect edited photos

Return to JPEGsnoop Main Page

Ever wondered if that UFO photo or sasquatch sighting is a fake? ... or if that camera manufacturer's sample images have been touched up?

Simply open an image in JPEGsnoop and scroll down to the section titled, *** Searching Compression Signatures ***. This option can be enabled/disabled with the Signature Search item in the Options menu.

The utility will compare the compression characteristics of the photo against an internal database of thousands of camera "signatures" to locate a match. If a match is found, the matching digital camera or editor is shown. If the signature matches a photo editor (such as Photoshop), then there is a good chance that the photo has been edited (i.e. not original!).

The assessment line indicates one of four possible outcomes:

Class 1 - Image is processed/edited
Class 2 - Image has high probability of being processed/edited
Class 3 - Image has high probability of being original -- NOTE: Please see description below!
Class 4 - Uncertain if processed or original

Image is Authenticated as very likely original

What is "Original"? How confident can we be?

It is virtually impossible for any software to ever guarantee with absolute certainty that a file or image has not been modified in some way. Even files that have an integrated cryptographic hash (eg. SHA-1 or MD5) could theoretically be altered to give a false positive integrity check, albeit unlikely. Apart from the use of cameras providing tightly-integrated authentication features (such as the Canon 1Ds / 1D mk II with the Data Verification Kit DVK-E1 / DVK-E2), it becomes a formidable task to prove that an image is guaranteed to be in its original, unaltered state. It is a much easier task to prove with certainty that an image has been processed / edited (ie. not original).

JPEGsnoop can be used with reasonable confidence in identifying "processed" images, but what can we draw from the tool's assessment that an "Image has a high probability of being original"? ... only that the JPEG compression "signatures" and certain metadata elements match those expected from the indicated camera model(s). Note that the "Image is Original" assessment has been updated in the latest JPEGsnoop versions to make this distinction clearer.

Is this sufficient information to prove that an image is "original"? In a word, no.

It would take a very specialized set of tools to create a false positive "original" from an altered image. It is possible, and I have proven this in my own development. However, in most circumstances, it is highly unlikely that a set of JPEG analysis tools have been used to produce such a fabrication. Even if the compression signatures and metadata were altered carefully to match, there is an array of advanced image content analysis techniques (eg. statistical noise analysis, etc.) that could then be applied to further identify possible alterations.

In-Camera Editing

More interesting perhaps, is that some new digicams allow for a limited set of in-camera editing facilities. These digital cameras may allow for an externally edited photo to be brought back into the camera for resaving (via the editing functions). This mechanism may indeed enable an image to present all of the hallmarks of an "original" image (matching metadata and quantization tables), but bare no relationship to the original captured image.

Conclusions

Therefore, while JPEGsnoop cannot absolutely guarantee an image's authenticity, it can be used to indicate with reasonable probability that an image has not been modified. If authenticity must be "proven", further analysis methods would be required. On the other hand, disproving an image's authenticity is accomplished quite easily (provided that the original image camera's signatures have been captured in the database)

Images that are not "Original"

You would be surprised at how many images on the web are apparently original, but are quickly revealed as being edited / post-processed. For example, even some of the "Sample Images" on Canon's official website have been edited in Photoshop, using Save As quality 10. The following is one such example. In this example, Canon may have simply enhanced the sharpness or increased the saturation, but one could easily see how it could be misused.

Canon's Sample Image example was edited!

Compression Signatures

Matching IJG Library Signatures

In some cases, JPEGsnoop may determine that the image's signature matches the digital fingerprint characteristic of IJG's compression quality scale. This scale is based on a formula that generates DQT tables based on a quality value from 1-100. The majority of image editors that provide a quality scale across this range use the same formula to generate their compression tables.

Once JPEGsnoop has determined a match, it will list out several known editors that use this particular scale, as they are all candidates and can produce the same signature.

Submit your own Compression Fingerprint / Signature!

While the built-in database includes thousands of signatures, not all digital cameras or software editors have been analyzed. If JPEGsnoop does not recognize the digicam or software editor, you have an opportunity to submit the compression signature to the JPEGsnoop database (stored on your computer and in the shared database).

If you know the origin of a file (i.e. you took a file direct from your digital camera, or the file is direct from saving within a photo editor / image processing program), then you are invited to submit the compression signature with the Add Camera/SW to DB... command. A dialog box will display the calculated compression signature unique to that file, along with a request for some additional details:

What is the source of the file? Was it direct from your digital camera or has the file been processed / edited?
The name of the software (e.g. Adobe Photoshop), if the file has been processed (i.e. no longer original).
The image quality setting. In this field, you are requested to enter the quality setting (if you happen to know it). Digicams generally provide the user with a selection of up to three image quality modes (e.g. superfine, fine, normal). Similarly, if you have edited / processed a file with software, you are often given the choice of JPEG quality (e.g. high, medium, low, 70, etc.).

When submitting the compression signature to the database, no identifying information or image content is captured -- only the compression signature (a long series of digits) and setting info.

Local User Database

When you add a camera / editor to your database, it is included in all future searches for compression signatures when processing photos. If you want to modify or clear this list (for example, if you entered information that was invalid), then you can use the Manage User DB option.

JPEGsnoop stores the local user database (and configuration options) in the following location:
<Profile Drive>/Documents and Settings/<User Name>/Application Data/JPEGsnoop/

In Windows 95/98 (or in operating systems where the User Profiles haven't been configured), the data file is stored in the same directory as the executable.

Reader's Comments:

Please leave your comments or suggestions below!

2010-02-27	vajira
	Thank you so much for creating such an invaluable site and giving us the opportunity to get what we want. In fact I have been searching a methodology to idnetify fake images and I got to know about the JPEGSNOOP because of your page . Thank ever so much. I wish you good luck in everything you do and successfull future .
	Thanks!
2010-02-26	Machiavelli
	Your software is great. It has found 3 images to be of Class 1. These images are of a controversial world record. Would you mind taking a quick look at them for further insight (via email)? Thanks.
2010-01-25	dp
	the question "is the photo digital?" means: if i have a printed photo and I scan it with a scanner (not with a camera) the Compression Signature can match the signature of a camera anyway?
	No -- the compression signature will in fact match that of the scanner software instead.
2010-01-22	dp
	what does it mean the column "Subsamp Match?" if i have a list of cameras and software under Searching Compression Signature, does it mean that the photo has been taken/edited with any of these cameras/software? can i exclude others cameras/software? is there a way to detect if a photo is a digital photo or it is a scanned photo (from a print or a film)? if i have some cameras under Searching Compression Signature, does it mean that the photo is certainly digital? thanks
	The "subsamp match" column indicates that the type of chroma subsampling used in the image matches the type associated with the signature entry in the database. In general, the subsampling should match for the signature to be a reliable match. The list of cameras and software under the signature search are all ones that have the same signature as the one identified in the image. It means that those other cameras and software tools could have also produced images with the same signature, not that someone used multiple cameras or software programs to produce the image. However, with regards to your question: "is the photo digital"... By this I think you mean that someone took a photo with a digital camera of a scene versus taking a photo with a digital camera of a printed/film photo. One cannot tell this by the signatures alone.
2010-01-15	KEN
	I received a picture as an e-mail attachment which has some parts of it deliberately blocked out, is there any way of unblocking or decoding this block so I can see the whole image?
	I'm going to assume that the attachment was an image. Normally you won't be able to recover the blocked out regions. However, if the original image was a digital photo that was later edited, it is possible that the embedded thumbnail still reveals the original image (but at a smaller resolution). Therefore, within JPEGsnoop, you might try the "Search Forward" command to see if that is the case.
2010-01-01	Jane
	If a photo is coming up Class 1 does that mean it was photoshopped or that is may just not be the original and its a copy.
	This usually means that the image has been saved within an editor (such as Photoshop) and not simply a file copy. Whether anything was altered prior to the resaving is not determined.
2009-11-20	Dave
	Hi i was wondering if i can pause a video then do a screen shot would that still be able to tell if a video of that time frame has been edited?
	No, not with this type of technique. The act of taking a screen shot causes JPEG recompression to take place.

2009-10-19	john
	If received a pic that has a class 1 that means it is a fake. a couple software programs came up when i used your program. paint photoshop etc. can u please tell me if i am right.
	The list of programs that you see does not mean that someone used all of them to create the photo. It is simply telling you that the image has a signature that matches the signatures created by those programs. In other words, any one of those programs might have performed the last edit to the image (or another whose signature is not in the database yet). We can't tell if multiple programs have been used to produce an image, only what the last program to touch the image might have been.
2009-10-17	james
	i ran a non edited photo through it and it said it was edited, which was not true
	The process of identifying originality is not guaranteed as there is the potential for false positives -- after all, we're dealing with digital data that can be modified at will, without any form of cryptographic authentication. The scenarios that are most likely to trigger this are: a) RAW converted files (JPEGsnoop picks up on the conversion), b) files from very old digicams that don't use the makernote field. If you can email me a copy of this image, I can provide more insight into the result or refine upcoming releases of the software. Thanks!
2009-10-14	shane
	Is there a way to back out the editing.. or to tell what exactly was edited ?
	Once a photo has been edited and resaved as a basic JPEG file (versus other file formats that provide layers and non-destructive editing), there is no way to undo the editing that has been performed. While JPEGsnoop can't localize the changed regions (it is more appropriate for an all-or-nothing indication), there are some other statistical analysis methods that can be used to highlight possible regions of edits (eg. error level analysis, etc.)
2009-09-22	marcos
	excelente para los que deseamos aprender mas de la edician de imagenes Felicidades!
2009-07-21	John
	I entered a signature from one of a series of photos I took. Only the photo that I entered the signature shows a status 3. Does each photo have to be entered into the local database?
	Hi John -- No, you should only need to add the signature one time for each quality setting (normal, fine, superfine, etc.) that you intend to use on that camera model.
2009-07-08	ARTGAS
	great software~~~ Any version for MAC??
	Thanks! At the present time JPEGsnoop is only available for Windows. However, people have reported that it works fine using "wine" on LINUX / Mac.
2009-06-30	Francisco
	Hi, if a photo is edited to make something in the image disappear, or in the case of ufo photo, insert the ufo into the photo, can I know exactly where in the photo were the alterations made?
	JPEGsnoop does not currently offer any methods to localize an image edit. However, there are several techniques available that can help determine where an image may have been modified: objective/statistical methods such as error level analysis, double-compression, replication detection, etc. and subjective methods such as lighting / highlight analysis, etc. I have plans to explore some of the objective methods in future releases of JPEGsnoop.
2009-06-29	zobi8225
	Realy interessing. Thanks for your soft.
2009-04-24	Romel
	Hi, First of all I would like to thanks the creator of this wonderful software. Its works fantastic but I have found one thing that is different result comes in the same picture if you download it from internet and upload from your camera. I have taken one pic using my mobile and JPGsnoop can find all the info , like camera name, model, originality etc etc but the same picture I upload to my facebook album then download again to my pc from website and this time JPGsnoop saying its Class 1 - Image is processed/edited. Also unable to get other information as well. Why is that? Apart from above case I would like to know one more thing -- does any one know what does this mean by CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 85 does it mean the pic is edited by using some software like adobe Photoshop or something else? If you know the exact software name plz let me know. Best regards Romel
	Hi Romel -- When photos are uploaded to photo sharing sites (such as flickr, Facebook, and most others), the photo album software on the web generally recompresses the images. The recompression is usually done to resize in dimensions and quality the large files (eg. from 3 MB to 200 KB). So, what you are seeing are actually "edited" photos in that they have been altered from the original by the website itself. This recompression process generally also removes the metadata in the image (the data that describes the camera info, and other details). gd-jpeg is one of the more common JPEG compression libraries / software used by websites.

Leave a comment or suggestion for this page:
Name:
Email:	(Never Shown - Optional)
Comments: