We focus almost exclusively on software that runs locally on linux because of all the great software that is available. But in this post we’ll take a look at a couple of web based reources for doing some pretty effective image forensics.
We test drove these sites using JPEG and PNG image files with content hidden inside. Our PNG test image had another image hidden inside using LSB steganography – using the least significant bits. We used two JPEG images with the same fairly large image hidden inside, one using the Matroschka program and the other using Steghide.
The online image forensics tool called Forensically is a full-featured site with a variety of tools for analyzing JPEG, GIF and PNG files by several different useful methods. The adjustments you can make are implemented using sliders and dropdowns which trigger events that re-render the image using the canvas element. This leads to a nice user experience as you can quickly try each little increment until you get the setting just where it gives the best result.
Here are some results using a PNG image with an embedded PNG data file encoded using the least significant bits. It does not span the entire image as the program used started in the top left and continued until the entire embed file was encoded, and we can see how it does not span the cover file.
This example is showing the result I got using the Error Level Analysis tool with Opacity set to about halfway (0.5) and fiddling about with the “Error Scale” setting. Notice the distinct separation we can see about halfway down the image. Using LSB3 just over half the capacity of the carrier image was used and it was not spread throughout the image.
There is a clone detection eature included as well, which looks for similar blocks of content within the image. This might indicate that the image was manipulated by cloning one section in order to paste over another.
Another handy forensics feature is the noise filter tool, which isolates the noise. This can point out parts of an image that may have been deformed/warped with Photoshop, or airbrushed.
Also included is a Level Sweep tool. I’m not sure how this works, but it should make the edges stand out more wherever blocks of pixels have been copied and pasted in the image. You might need to look pretty closely to see this effect.
Another great tool on the sidebar is the Luminence Gradient tool. This allows you to check for variances from side to side or vertically as in this case. We quickly adjusted the settings until we got this image, which clearly shows there is something interesting here. Gradient analysis of the edges or perimeter can yield results too according to the site documentation. The most useful purpose is actually not what we’re using it for here, but to look at the lighting gradients in photgraphs. For example if the sun is on one side but part of the image is illuminated from the other, this probably indicates tampering.
This site bundles in some other miscellaneous tools as well for convenience, including displaying EXIF data and the result of running the *nix strings
command. The headers of JPEG files are examined too – you never know what may be lurking in there right? All in all this is a very nice site that is free and fun to play around with. Kudos to Jonas Wagner who put together this fantastic resource.
This site blocks access from scripts, public VPN endpoints, Tor exit nodes, known proxies and whatever else they can, which sucks. People who act responsibly to protect themselves from threats to their security and privacy should not be compelled to abandon that behavior. This from a site that does not even use HTTPS and seems to be hostile to security.
So with that out of the way, let’s talk about why I chose to include FotoForensics in this post. Although it does not seem to cover as much ground as the Forensically site, it has worthwhile documentation. Error Level Analysis is explained wonderfully, with lots of images as examples and is well worth the effort if you can use your own OpenVPN server or proxy to get there.
Here is an example of using FotoForensics’ Error Level Analysis (ELA) tool to look for indications that an image might have embedded information. This technique is the site’s specialty, and we had no trouble determining that our image did indeed appear to contain embedded data, as you can hopefully tell from this lovely image.
So the takeaway here is to keep these online resources in mind for situations where they might come in handy. This is not as detailed an analysis as you might get using a dedicated software tool, it won’t look through directories full of image files, and certainly will require followup work to be done when evidence is found of embedded data being hidden.
The Forensically site is easy and fun to use, is always available even when you’re away from your preferred environment. The image analysis tools websites are few and far between, so this was an easy post to write, but it underscores the need to review some common steganographic tools, including those for steganalysis as soon as possible. Stay tuned for that!