Monday, April 30, 2012

Hex Searching

One of the interesting aspects of having a blog is that some people will write to you asking about something related that they read elsewhere on the web. While I am generally friendly and prompt in my replies to questions that come from this blog, I'm often left wondering ... why didn't you just ask them?

Here's an example.

California is going nuts with image authentication issues related to law enforcement's use of images from Facebook. Last year, Scott Anderson wrote an outstanding overview of image authentication techniques as his Masters thesis at UC Denver's National Center for Media Forensics.

The reader wants to know about "practical applications" of Scott's thesis as regards law enforcement. My response: he couldn't be more clear. The question had to do with searching hex data for signs that an image had been "Photoshopped."

First, I reminded the reader of Scott's admonition that there is no one "right way" to authenticate images. There are many right ways, some will work better than others. Also, there should be a specific allegation of forgery that can be tested against.

I asked the reader to perform a simple test. Take a picture with your camera phone. Upload it directly to your Facebook account. Log in to Facebook and click on the picture. On the Options tab, click download. You will now have two versions of the picture - the one on your phone and the one downloaded from Facebook. Examine both with a hex editor. Use the find feature and search for terms like Photoshop, Picasa, and so forth. (Scott offers sample search terms in the back of his paper)

Now, open one of the pictures in Photoshop. Do something to it and save it. Open the hex editor again and search for the word Photoshop. What did you find?

In my test, I found multiple instances of the word ... usually following whatever was done by Photoshop.

If you're not familiar with Scott Anderson's thesis, take a minute and read it (well, more than a minute ...). It's a great example of the wonderful work being done in Denver.


No comments: